CVE-2023-48783
CVE-2023-48783
In short
A user with read-only access to PortiPortal can trick the system into accessing data from other organizations by sending specially crafted requests. This bypasses permission controls that should prevent cross-organization access.
Technical detail
An authorization bypass vulnerability in PortiPortal allows authenticated users with minimal privileges to access endpoints belonging to other organizations through manipulated GET requests. The vulnerability exploits insufficient validation of user-controlled identifiers to enforce organization-level access boundaries, enabling lateral privilege escalation across tenants.
Summary generated and translated by AI from the official description.
An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:X/RC:R
Affected products
Fortinet · FortiPortalWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →