CVE-2023-37931
Published: 14 January 2025
Summary
CVE-2023-37931 is a high-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortivoice. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-37931 is a SQL injection vulnerability (CWE-89) in FortiVoice Enterprise versions 7.0.0 through 7.0.1 and before 6.4.8. The flaw stems from improper neutralization of special elements used in an SQL command, allowing an authenticated attacker to execute a blind SQL injection attack by sending crafted HTTP or HTTPS requests. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker requires low-privilege authenticated access (PR:L) to exploit the vulnerability over the network (AV:N) with low attack complexity and no user interaction. Exploitation enables a blind SQL injection, potentially allowing the attacker to extract sensitive data, modify database contents, or disrupt system availability, achieving high levels of confidentiality, integrity, and availability impact.
The FortiGuard PSIRT advisory FG-IR-23-220 provides details on mitigation and patches; security practitioners should consult https://fortiguard.com/psirt/FG-IR-23-220 for upgrade guidance and remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41784
Vulnerability details
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql injection attack via sending crafted HTTP…
more
or HTTPS requests
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web application (FortiVoice Enterprise) directly enables exploitation of a public-facing service for data access/modification or availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the SQL injection flaw in FortiVoice Enterprise by applying vendor patches as specified in the FortiGuard advisory.
Prevents blind SQL injection by validating and sanitizing special elements in crafted HTTP/HTTPS request inputs before SQL command construction.
Detects exploitation of the SQL injection vulnerability through monitoring of web traffic, database queries, and anomalous system behavior.