Multiple path traversal vulnerabilities
Summary
A relative path traversal vulnerability [CWE-23] in FortiSIEM file upload components may allow an authenticated, low privileged user of the FortiSIEM GUI to escalate their privilege and replace arbitrary files on the underlying filesystem via specifically crafted HTTP requests.
Affected Products
FortiSIEM version 7.0.0
FortiSIEM version 6.7.0 through 6.7.3
FortiSIEM version 6.6.0 through 6.6.3
FortiSIEM version 6.5.0 through 6.5.1
FortiSIEM version 6.4.0 through 6.4.2
Solutions
Please upgrade to FortiSIEM version 7.0.1 or above
Please upgrade to FortiSIEM version 6.7.4 or above
Please upgrade to FortiSIEM version 6.6.4 or above
Please upgrade to FortiSIEM version 6.5.2 or above
Please upgrade to FortiSIEM version 6.4.3 or above
Acknowledgement
Internally discovered and reported by Lance Yeaw from ETAC team.Timeline
2023-10-11: Initial publication