CVE-2024-23104
Information Disclosure in Fortinet FortiNDR and FortiVoice
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: Fortinet, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortivoice | From 7.0.0 (inc) to 7.0.2 (exc) |
| fortinet | fortindr | 7.6.0 |
| fortinet | fortindr | From 7.0.0 (inc) to 7.4.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the exposure of sensitive information in Fortinet FortiNDR and FortiVoice products. A remote authenticated attacker who has at least read-only permission on system maintenance can exploit this issue by sending specially crafted HTTP requests to access backup information that should be protected.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive backup information. This could potentially allow attackers to gain insights into system configurations or sensitive data stored in backups, which may be used for further attacks or unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves the exposure of sensitive information to an unauthorized actor, which could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA. Unauthorized access to backup information may result in the compromise of personal or protected health information, thereby violating confidentiality requirements mandated by these standards.
However, specific impacts on compliance depend on the nature of the exposed data and the organization's mitigation measures.