Skip to main content

Fortiportal CVE-2023-48791

HIGH
Command Injection (CWE-77)
2023-12-13 psirt@fortinet.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 13, 2023 - 07:15 nvd
HIGH 8.8

DescriptionNVD

An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.

AnalysisAI

An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field. Affected products include: Fortinet Fortiportal. Version information: version 7.2.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.

CVE-2024-26011 CRITICAL
9.8 Nov 12

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4

CVE-2021-32588 CRITICAL
9.8 Aug 18

A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4

CVE-2017-7337 CRITICAL
9.1 May 27

An improper Access Control vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to interact

CVE-2021-32590 HIGH
8.8 Aug 04

Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through

CVE-2025-24470 HIGH
8.6 Feb 11

An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.

CVE-2021-36172 HIGH
8.1 Nov 02

An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal bef

CVE-2021-32594 HIGH
8.1 Aug 04

An unrestricted file upload vulnerability in the web interface of FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5,

CVE-2017-7338 HIGH
7.5 May 27

A password management vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to carry out inf

CVE-2017-7731 HIGH
7.5 May 27

A weak password recovery vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows attacker to carry out inf

CVE-2024-23105 HIGH
7.5 May 14

A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2

CVE-2021-36174 HIGH
7.5 Nov 02

A memory allocation with excessive size value vulnerability in the license verification function of FortiPortal before 6

CVE-2021-32596 HIGH
7.5 Aug 04

A use of one-way hash with a predictable salt vulnerability in the password storing mechanism of FortiPortal 6.0.0 throu

Share

CVE-2023-48791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy