CVE-2024-21753

Published: Sep 10, 2024Modified: Sep 25, 2024

6.0

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

Exploitability: 1.2 / Impact: 4.7

Source: NVD

Description

A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiClientEMS versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.13, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8, 1.2.1 through 1.2.5 allows attacker to perform a denial of service, read or write a limited number of files via specially crafted HTTP requests

Affected (6)

Products: Fortinet: Forticlient Endpoint Management Server

Fortinet

1 product

Forticlient Endpoint Management Server

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Fortinet Forticlient Endpoint Management Server	From 1.2.1 to 1.2.5
Fortinet Forticlient Endpoint Management Server	From 6.0.0 to 6.0.8
Fortinet Forticlient Endpoint Management Server	From 6.2.0 to 6.2.9
Fortinet Forticlient Endpoint Management Server	From 6.4.0 to 6.4.9
Fortinet Forticlient Endpoint Management Server	From 7.0.0 to 7.0.13
Fortinet Forticlient Endpoint Management Server	From 7.2.0 to 7.2.4

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-23-362

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.