CVE-2022-39946: 
FortiNAC vulnerability analysis and mitigation

An access control vulnerability (CWE-284) was discovered in FortiNAC affecting multiple versions including 9.4.2 and below, 9.2.7 and below, and all versions of 9.1, 8.8, 8.7, 8.6, and 8.5. The vulnerability was initially published on June 12, 2023, and allows a remote attacker authenticated on the administrative interface to perform unauthorized jsp calls via crafted HTTP requests (Fortinet Advisory).

The vulnerability is tracked as CVE-2022-39946 and has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as an improper access control issue (CWE-284) that could allow authenticated users to bypass intended access restrictions through crafted HTTP requests targeting JSP functionality (NVD).

The vulnerability could potentially lead to unauthorized access to administrative functions, allowing attackers to compromise the confidentiality, integrity, and availability of the affected system. The high CVSS score indicates significant potential impact if successfully exploited (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to one of the following versions: FortiNAC-F version 7.2.0 or above, FortiNAC version 9.4.3 or above, or FortiNAC version 9.2.8 or above (Fortinet Advisory).