CVE-2023-26207: 
FortiOS vulnerability analysis and mitigation

An insertion of sensitive information into log file vulnerability (CWE-532) was discovered in Fortinet FortiOS versions 7.2.0 through 7.2.4 and FortiProxy versions 7.0.0 through 7.0.10. The vulnerability was discovered internally by Goutham Dhongadi Rukmasah of Fortinet R&D team and was initially published on June 12, 2023 (Fortinet Advisory).

The vulnerability is classified as an insertion of sensitive information into log file vulnerability that affects the CLI component of FortiOS and FortiProxy. It has been assigned a CVSSv3 base score of 3.3 (Low) by Fortinet, while the NVD assessment rates it at 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows an authenticated attacker to read certain passwords in ciphertext format from log events. This could potentially lead to information disclosure of sensitive data (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. For FortiOS, users should upgrade to version 7.2.6 or above if running 7.2.x versions, or to version 7.0.16 or above if running 7.0.x versions. For FortiProxy, users should upgrade to version 7.2.2 or above if running 7.2.x versions, or to version 7.0.8 or above if running 7.0.x versions. Users running FortiProxy 2.0.x should upgrade to version 2.0.13 or above (Fortinet Advisory).