CVE-2024-36509
MEDIUMFortiWeb 6.3.0-6.3.23, 7.0.0-7.0.10, 7.2.0-7.2.10, 7.4.0-7.4.3, 7.6.0 - Sensitive Info Exposure via Log Access
Title source: llmDescription
An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page.
References (1)
Core 1
Core References
Vendor Advisory
https://fortiguard.fortinet.com/psirt/FG-IR-24-180
Scores
CVSS v3
4.2
EPSS
0.0021
EPSS Percentile
10.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-497
Status
published
Products (2)
fortinet/fortiweb
7.6.0
fortinet/fortiweb
6.3.0 - 7.4.4
Published
Nov 12, 2024
Tracked Since
Feb 18, 2026