← Back

CVE-2023-37931

nvd nist
Published: Jan 14, 2025Modified: Jul 22, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: psirt@fortinet.com (Secondary)

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql injection attack via sending crafted HTTP or HTTPS requests

Affected (2)

Products: Fortinet: Fortivoice
Fortinet
1 product
Fortivoice
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Fortinet
Fortivoice
From 6.0.0 to 6.4.9
Fortivoice
From 7.0.0 to 7.0.2

Related CWEs

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (1)

Source: psirt@fortinet.com
Vendor Advisory

Timeline

No history available yet.