CVE-2021-26110

An improper access control vulnerability [CWE-284] in FortiOS autod daemon 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.12 and below and FortiProxy 2.0.1 and below, 1.2.9 and below may allow an authenticated low-privileged attacker to escalate their privileges to super_admin via a specific crafted configuration of fabric automation CLI script and auto-script features.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
fortinetCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
fortinetfortiproxy
1.0.0 ≤
𝑥
≤ 1.0.7
fortinetfortiproxy
1.1.0 ≤
𝑥
≤ 1.1.6
fortinetfortiproxy
1.2.0 ≤
𝑥
≤ 1.2.9
fortinetfortiproxy
2.0.0
fortinetfortiproxy
2.0.1
fortinetfortios
5.6.0 ≤
𝑥
≤ 5.6.14
fortinetfortios
6.0.0 ≤
𝑥
≤ 6.0.12
fortinetfortios
6.2.0 ≤
𝑥
≤ 6.2.9
fortinetfortios
6.4.0 ≤
𝑥
≤ 6.4.6
fortinetfortios
7.0.0
𝑥
= Vulnerable software versions
References
https://fortiguard.com/advisory/FG-IR-20-131
https://fortiguard.com/advisory/FG-IR-20-131