CVE-2024-54026

CWE-89SQL Injection4 documents4 sources
Severity
8.8HIGH
EPSS
0.1%
top 78.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortisandboxFortinet Fortisandbox Cloud
Timeline
PublishedMar 11

Description

An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDfortinet/fortisandbox3.0.04.4.7
CVEListV5fortinet/fortisandbox4.4.04.4.6+5

🔴Vulnerability Details

2
CVEList
CVE-2024-54026: An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 42025-03-11
GHSA
GHSA-j6hj-9xq3-x536: An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox Cloud version 232025-03-11

📋Vendor Advisories

1
Fortinet
error based SQLI on device del feature2025-03-11
CVE-2024-54026 (HIGH CVSS 8.8) | An improper neutralization of speci | cvebase.io