CVE-2023-37930

08.04.2025, 14:15

Multiple issues including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] vulnerabilities in Fortinet FortiOS SSL VPN webmode version 7.4.0, version 7.2.0 through 7.2.5, version 7.0.1 through 7.0.11 and version 6.4.7 through 6.4.14 and Fortinet FortiProxy SSL VPN webmode version 7.2.0 through 7.2.6 and version 7.0.0 through 7.0.12 allows a VPN user to corrupt memory potentially leading to code or commands execution via specifically crafted requests.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
fortinet	CNA	6.7 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Vendor	Product	Version
fortinet	fortios	6.4.7 ≤ 𝑥 < 6.4.15
fortinet	fortios	7.0.1 ≤ 𝑥 < 7.0.13
fortinet	fortios	7.2.0 ≤ 𝑥 < 7.2.6
fortinet	fortios	7.4.0
fortinet	fortiproxy	7.0.0 ≤ 𝑥 < 7.0.13
fortinet	fortiproxy	7.2.0 ≤ 𝑥 < 7.2.7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-908 - Use of Uninitialized Resource
The software uses or accesses a resource that has not been initialized.

References

https://fortiguard.com/psirt/FG-IR-23-165