Multiple XML external entity (XXE) injection

Multiple XML external entity (XXE) injection Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-22-304 Final 1 1 2023-02-16T00:00:00 Current version 2023-02-16T00:00:00 2023-02-16T00:00:00 An improper restriction of XML external entity reference vulnerability [CWE-611] in the parser of XML requests of FortiNAC may allow an unauthenticated attacker to trigger a denial of service or read arbitrary files from the underlying file system via specifically crafted XML documents. None Information disclosure FortiNAC version 9.4.0 through 9.4.1FortiNAC 9.2 all versionsFortiNAC 9.1 all versionsFortiNAC 8.8 all versionsFortiNAC 8.7 all versionsFortiNAC 8.6 all versionsFortiNAC 8.5 all versionsFortiNAC 8.3 all versionsFortiNAC 7.2 all versions are not affected Please upgrade to FortiNAC version 9.4.2 or abovePlease upgrade to FortiNAC version 7.2.0 or above Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team. FortiNAC 9.4.1 FortiNAC 9.4.0 FortiNAC 9.2.8 FortiNAC 9.2.7 FortiNAC 9.2.6 FortiNAC 9.2.5 FortiNAC 9.2.4 FortiNAC 9.2.3 FortiNAC 9.2.2 FortiNAC 9.2.1 FortiNAC 9.2.0 FortiNAC 9.1.10 FortiNAC 9.1.9 FortiNAC 9.1.8 FortiNAC 9.1.7 FortiNAC 9.1.6 FortiNAC 9.1.5 FortiNAC 9.1.4 FortiNAC 9.1.3 FortiNAC 9.1.2 FortiNAC 9.1.1 FortiNAC 9.1.0 FortiNAC 8.8.11 FortiNAC 8.8.10 FortiNAC 8.8.9 FortiNAC 8.8.8 FortiNAC 8.8.7 FortiNAC 8.8.6 FortiNAC 8.8.5 FortiNAC 8.8.4 FortiNAC 8.8.3 FortiNAC 8.8.2 FortiNAC 8.8.1 FortiNAC 8.8.0 FortiNAC 8.7.6 FortiNAC 8.7.5 FortiNAC 8.7.4 FortiNAC 8.7.3 FortiNAC 8.7.2 FortiNAC 8.7.1 FortiNAC 8.7.0 FortiNAC 8.6.5 FortiNAC 8.6.4 FortiNAC 8.6.3 FortiNAC 8.6.2 FortiNAC 8.6.1 FortiNAC 8.6.0 FortiNAC 8.5.4 FortiNAC 8.5.3 FortiNAC 8.5.2 FortiNAC 8.5.1 FortiNAC 8.5.0 FortiNAC 8.3.7 Multiple XML external entity (XXE) injection CVE-2022-39954 FortiNAC-9.4.1 FortiNAC-9.4.0 FortiNAC-9.2.8 FortiNAC-9.2.7 FortiNAC-9.2.6 FortiNAC-9.2.5 FortiNAC-9.2.4 FortiNAC-9.2.3 FortiNAC-9.2.2 FortiNAC-9.2.1 FortiNAC-9.2.0 FortiNAC-9.1.10 FortiNAC-9.1.9 FortiNAC-9.1.8 FortiNAC-9.1.7 FortiNAC-9.1.6 FortiNAC-9.1.5 FortiNAC-9.1.4 FortiNAC-9.1.3 FortiNAC-9.1.2 FortiNAC-9.1.1 FortiNAC-9.1.0 FortiNAC-8.8.11 FortiNAC-8.8.10 FortiNAC-8.8.9 FortiNAC-8.8.8 FortiNAC-8.8.7 FortiNAC-8.8.6 FortiNAC-8.8.5 FortiNAC-8.8.4 FortiNAC-8.8.3 FortiNAC-8.8.2 FortiNAC-8.8.1 FortiNAC-8.8.0 FortiNAC-8.7.6 FortiNAC-8.7.5 FortiNAC-8.7.4 FortiNAC-8.7.3 FortiNAC-8.7.2 FortiNAC-8.7.1 FortiNAC-8.7.0 FortiNAC-8.6.5 FortiNAC-8.6.4 FortiNAC-8.6.3 FortiNAC-8.6.2 FortiNAC-8.6.1 FortiNAC-8.6.0 FortiNAC-8.5.4 FortiNAC-8.5.3 FortiNAC-8.5.2 FortiNAC-8.5.1 FortiNAC-8.5.0 FortiNAC-8.3.7 6.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-22-304 Multiple XML external entity (XXE) injection Reference>