CVE-2024-33501

CWE-89SQL Injection4 documents4 sources
Severity
6.7MEDIUM
EPSS
0.0%
top 92.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Fortinet FortianalyzerFortinet Fortianalyzer BIG DataFortinet Fortimanager
Timeline
PublishedMar 11

Description

Two improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5, FortiManager version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before 7.2.7 allows a privileged attacker to execute unauthorized code or commands via specifically crafted CLI requests.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 0.8 | Impact: 3.4

Affected Packages4 packages

NVDfortinet/fortianalyzer_big_data6.4.57.2.8+1
NVDfortinet/fortianalyzer6.4.07.2.6+1
NVDfortinet/fortimanager6.2.87.2.6+2
CVEListV5fortinet/fortimanager7.4.07.4.2+5

🔴Vulnerability Details

2
CVEList
CVE-2024-33501: Two improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiAnalyzer version 72025-03-11
GHSA
GHSA-h7wp-62hc-fvm5: Two improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiAnalyzer version 72025-03-11

📋Vendor Advisories

1
Fortinet
Authenticated SQLI on CLI2025-03-11
CVE-2024-33501 (MEDIUM CVSS 6.7) | Two improper neutralization of spec | cvebase.io