Two critical vulnerabilities in Fortinet's FortiSIEM product have been assigned provisional CVSS scores of 10.
What is known is that the vulnerabilities, tracked under CVE-2024-23108 and CVE-2024-23109, are command injection flaws that could potentially let threat actors use crafted API requests to execute unauthorized code.
FortiSIEM is Fortinet's security information and event management platform, used for enabling enterprise cybersecurity operations centers.
FortiSIEM versions impacted by the flaws include version 7.1.0 through 7.1.1; 7.0.0 through 7.0.2; 6.7.0 through 6.7.8; 6.6.0 through 6.6.3; 6.5.0 through 6.5.2; and 6.4.0 through 6.4.2, according to the CVE entries.
The link Fortinet provided for information on the flaws leads to a write-up on another FortiSIEM vulnerability from October 2023, suggesting there might be a link between that bug and these new discoveries.
The previous flaw was assigned a CVSS score of 9.7.
Dark Reading asked Fortinet for additional details but has not yet received a response.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 06 Feb 2024 20:10:15 +0000