Security News > 2024 > March > Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software

Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software
2024-03-14 04:21

Fortinet has alerted users to a severe vulnerability in FortiClientEMS, enabling potential attacker-driven code execution.

This SQL Injection flaw, identified as CVE-2023-48788 with a 9.3 CVSS score, affects FortiClientEMS versions 7.2.0 to 7.2.2 and 7.0.1 to 7.0.10; users should upgrade to safer versions. Credits for the discovery go to Thiago Santana and the U.K.'s NCSC.

Additionally, critical vulnerabilities in FortiOS and FortiProxy (CVE-2023-42789 and CVE-2023-42790, both rated 9.3) could allow attackers to run arbitrary code through malformed HTTP requests, affecting various versions with specified upgrade paths.

Despite no current exploitation reports, Fortinet emphasizes prompt patching due to past abuses of unpatched systems.


News URL

https://thehackernews.com/2024/03/fortinet-warns-of-severe-sqli.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-03-12 CVE-2023-48788 Unspecified vulnerability in Fortinet Forticlient Enterprise Management Server
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
network
low complexity
fortinet
critical
9.8
2024-03-12 CVE-2023-42790 Unspecified vulnerability in Fortinet Fortios and Fortiproxy
A stack-based buffer overflow in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.
network
high complexity
fortinet
8.1
2024-03-12 CVE-2023-42789 Unspecified vulnerability in Fortinet Fortios
A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.
network
low complexity
fortinet
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 77 15 314 277 81 687