CVE-2024-23111 — Cross-site Scripting in Fortinet Fortios

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

CNA6.8

EPSS

0.2%

top 62.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedJun 11

Description

An improper neutralization of input during web page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions reboot page may allow a remote privileged attacker with super-admin access to execute JavaScript code via crafted HTTP GET requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages4 packages

▶NVDfortinet/fortios7.0.0 — 7.0.14+2

▶NVDfortinet/fortiproxy7.0.0 — 7.0.15+2

▶CVEListV5fortinet/fortios7.4.0 — 7.4.2+2

▶CVEListV5fortinet/fortiproxy7.4.0 — 7.4.2+2

🔴Vulnerability Details

CVEList

CVE-2024-23111: An improper neutralization of input during web page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS version 7↗2024-06-11

▶

GHSA

GHSA-wx67-x394-5q2f: A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7↗2024-06-11

▶

📋Vendor Advisories

Fortinet

FortiOS/FortiProxy - XSS in reboot page↗2024-06-11

▶