Improper profile-based access control over APIs Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-22-056 Final 1 1 2023-04-11T00:00:00 Current version 2023-04-11T00:00:00 2023-04-11T00:00:00 An improper privilege management vulnerability [CWE-269] in FortiSandbox & FortiDeceptor may allow a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests. None Execute unauthorized code or commands FortiDeceptor version 4.1.0FortiDeceptor version 4.0.0 through 4.0.2FortiDeceptor version 3.3.0 through 3.3.3FortiDeceptor 3.2 all versionsFortiDeceptor 3.1 all versionsFortiDeceptor 3.0 all versionsFortiDeceptor 2.1 all versionsFortiDeceptor 2.0 all versionsFortiDeceptor 1.1 all versionsFortiDeceptor 1.0 all versionsAt leastFortiSandbox version 4.2.0 through 4.2.2FortiSandbox version 4.0.0 through 4.0.2FortiSandbox version 3.2.0 through 3.2.3FortiSandbox 3.1 all versionsFortiSandbox 3.0 all versionsFortiSandbox 2.5 all versions Upgrade to FortiSandbox version 4.2.3 or aboveUpgrade to FortiSandbox version 4.0.3 or aboveUpgrade to FortiSandbox version 3.2.4 or aboveUpgrade to FortiDeceptor version 4.2.0 or aboveUpgrade to FortiDeceptor version 4.1.1 or above Internally discovered and reported by Théo Leleu of Fortinet Product Security team. CVE-2022-27487 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-22-056 Improper profile-based access control over APIs Reference>