A critical path traversal vulnerability in the Fortinet Wireless Manager (FortiWLM) could allow an unauthenticated attacker to gain access to sensitive files. The impact of the vulnerability is rated 9.6 on a scale of 1 to 10. Fortinet has released security updates to fix the problem.
Through the Fortinet Wireless Manager, an ‘application suite’, organizations can monitor, operate and manage their WiFi networks. Fortinet did not provide any further details about the vulnerability (CVE-2023-34990), except to say that it is a relative path traversal vulnerability that was found and reported by a researcher at security company Horizon3.ai.
The researcher disclosed several vulnerabilities in FortiWLM that he had discovered last March. This included a vulnerability without a CVE number and update that makes it possible to steal arbitrary log files containing admin session ID tokens and thus take over the device. The vulnerability was reported to Fortinet on May 12, 2023, the researcher said.
In short:
Aspect | Detail |
---|---|
Vulnerability | Critical path traversal vulnerability in Fortinet Wireless Manager (CVE-2023-34990) |
Impact | Rated 9.6 out of 10 |
Attacker Access | Unauthenticated attackers can access sensitive files |
Discovery and Reporting | Discovered by a researcher at Horizon3.ai, reported to Fortinet on May 12, 2023 |
Mitigation | Fortinet has released security updates to address the vulnerability |