CVE-2024-33510Improperly Implemented Security Check for Standard in Fortinet Fortios

CWE-358Improperly Implemented Security Check for Standard4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.5%
top 34.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortiosFortinet Fortiproxy
Timeline
PublishedNov 12

Description

An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDfortinet/fortios7.0.07.2.9+1
NVDfortinet/fortiproxy7.0.07.0.17+2
CVEListV5fortinet/fortios7.4.07.4.3+2
CVEListV5fortinet/fortiproxy7.4.07.4.3+2

🔴Vulnerability Details

2
CVEList
CVE-2024-33510: An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 72024-11-12
GHSA
GHSA-9gmw-9qg6-35hm: An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 72024-11-12

📋Vendor Advisories

1
Fortinet
SSLVPN WEB UI Text injection2024-11-12
CVE-2024-33510 — Fortinet Fortios vulnerability | cvebase