Description

According to Fortinet's report, the FortiNAC web server is vulnerable to unauthenticated arbitrary file upload due to a directory traversal vulnerability that occurs when unpacking a user-provided zip file at the endpoint /configWizard/keyUpload.jsp. The following versions are affected:

  • FortiNAC version 9.4.0
  • FortiNAC version 9.2.0 through 9.2.5
  • FortiNAC version 9.1.0 through 9.1.7
  • FortiNAC versions 8.3 through 8.8

Remediation

Please upgrade to FortiNAC version 9.4.1 or above.
Please upgrade to FortiNAC version 9.2.6 or above.
Please upgrade to FortiNAC version 9.1.8 or above.
Please upgrade to FortiNAC version 7.2.0 or above.

References

FortiNAC - External Control of File Name or Path in keyUpload scriptlet

Perspectives: FortiNAC and CVE-2022-39952

Related Vulnerabilities

Umbraco CMS TemplateService remote code execution

Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface

Drupal Core Remote Code Execution (8.0.0 - 9.2.21)

WordPress Plugin Gutenberg Block Editor Toolkit-EditorsKit Remote Code Execution (1.31.5)

ManageEngine Desktop Central Deserialization RCE (CVE-2020-10189)

Severity

High

Classification

CVE-2022-39952 CWE-610 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Unauthenticated File Upload Arbitrary File Creation Directory Traversal