CVE-2023-22637: 
FortiNAC vulnerability analysis and mitigation

An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability [CWE-79] was discovered in FortiNAC's License Management component. The vulnerability, identified as CVE-2023-22637, was disclosed on May 3, 2023. It affects multiple versions of FortiNAC products including FortiNAC-F version 7.2.0, FortiNAC versions 9.4.2 and below, 9.2, 9.1, 8.8, and 8.7 all versions (Fortinet Advisory).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) issue that can trigger Remote Code Execution (RCE) through license key forgery. It received a CVSSv3 score of 5.9, categorizing it as Medium severity. While Fortinet assessed it with a CVSS vector of CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H, the National Vulnerability Database rated it as Critical with a base score of 9.0 and vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability allows an authenticated attacker to execute unauthorized code or commands through crafted licenses. The successful exploitation could lead to remote code execution on the affected system, potentially compromising the security of the FortiNAC deployment (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiNAC-F version 7.2.1 or above, or FortiNAC version 9.4.3 or above, depending on their current deployment (Fortinet Advisory).

The vulnerability was responsibly disclosed by Ilya "E Liu Ha" Polyakov from Angara Security (Fortinet Advisory).