FortiPortal - Insufficient Access Control over API endpoints

Jan. 9, 2024, 8 a.m. |

FortiGuard Labs | FortiGuard Center - IR Advisories fortiguard.fortinet.com

An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting FortiPortal may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.

access access control api api endpoints authorization bypass control cwe endpoints key may organization permissions requests vulnerability

Visit resource

More from fortiguard.fortinet.com / FortiGuard Labs | FortiGuard Center - IR Advisories

FortiOS - Web server ETag exposure 3 weeks, 6 days ago | fortiguard.fortinet.com

actor attacker cwe device +17

FortiSandbox - Arbitrary file read on endpoint 3 weeks, 6 days ago | fortiguard.fortinet.com

arbitrary files attacker cwe directory +12

FortiNAC-F - Lack of certificate validation 3 weeks, 6 days ago | fortiguard.fortinet.com

attack attacker certificate channel +12

FortiOS - Format String in CLI command 3 weeks, 6 days ago | fortiguard.fortinet.com

access admin arbitrary code attacker +16

FortiOS & FortiProxy - administrator cookie leakage 3 weeks, 6 days ago | fortiguard.fortinet.com

administrator attacker conditions cookie +10

FortiSandbox - Arbitrary file delete on endpoint 3 weeks, 6 days ago | fortiguard.fortinet.com

arbitrary files attacker cwe delete +13

FortiClientMac - Lack of configuration file validation 3 weeks, 6 days ago | fortiguard.fortinet.com

arbitrary code attacker code configuration +15

FortiManager - Code Injection via Jinja Template 3 weeks, 6 days ago | fortiguard.fortinet.com

arbitrary code attacker code code injection +11

FortiSandbox - Arbitrary file write on CLI leading to arbitrary code execution 3 weeks, 6 days ago | fortiguard.fortinet.com

access admin arbitrary code arbitrary code execution +16

Principal - Cyber Risk and Assurance - Infra/Network

@ GSK | Bengaluru Luxor North Tower

View on infosec-jobs.com

Staff Security Engineer

@ Airwallex | AU - Melbourne

View on infosec-jobs.com

Chief Information Security Officer

@ Australian Payments Plus | Sydney, New South Wales, Australia

View on infosec-jobs.com

TW Test Automation Engineer (Access Control & Intrusion Systems)

@ Bosch Group | Taipei, Taiwan

View on infosec-jobs.com

Consultant infrastructure sécurité H/F

@ Hifield | Sèvres, France

View on infosec-jobs.com

SOC Analyst

@ Wix | Tel Aviv, Israel

View on infosec-jobs.com

View more jobs

all InfoSec news

FortiPortal - Insufficient Access Control over API endpoints

More from fortiguard.fortinet.com / FortiGuard Labs | FortiGuard Center - IR Advisories

Jobs in InfoSec / Cybersecurity

Principal - Cyber Risk and Assurance - Infra/Network

Staff Security Engineer

Chief Information Security Officer

TW Test Automation Engineer (Access Control & Intrusion Systems)

Consultant infrastructure sécurité H/F

SOC Analyst