CVE-2024-52960: Client-side enforcement of server-side security related to vm download feature
First published: Tue Mar 11 2025(Updated: )
A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiSandbox Firmware | >=4.4.0<4.4.6<4.2.7 | |
| Fortinet FortiSandbox Firmware | =. | |
| Fortinet FortiSandbox Firmware | >=4.4.0<=4.4.6 | |
| Fortinet FortiSandbox Firmware | >=4.2.0<=4.2.7 | |
| Fortinet FortiSandbox Firmware | >=4.0 | |
| Fortinet FortiSandbox Firmware | >=3.2 | |
| Fortinet FortiSandbox Firmware | >=3.1 | |
| Fortinet FortiSandbox Firmware | >=3.0 |
Remedy
Please upgrade to FortiSandbox version 5.0.1 or above Please upgrade to FortiSandbox version 4.4.7 or above Please upgrade to FortiSandbox version 4.2.8 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-52960?
CVE-2024-52960 is classified as a client-side enforcement of server-side security vulnerability with moderate severity.
How do I fix CVE-2024-52960?
To mitigate CVE-2024-52960, upgrade Fortinet FortiSandbox to version 5.0.1 or higher, or 4.4.7 or higher for versions 4.4.0 through 4.4.6, and 4.2.8 or higher for versions from 4.2.0 to 4.2.7.
What versions of Fortinet FortiSandbox are affected by CVE-2024-52960?
Fortinet FortiSandbox versions 4.4.0 through 4.4.6 and all versions prior to 4.2.7 are affected by CVE-2024-52960.
Can an unauthenticated user exploit CVE-2024-52960?
No, only an authenticated user with at least read-only permissions can exploit CVE-2024-52960.
What type of vulnerability is CVE-2024-52960?
CVE-2024-52960 is a client-side enforcement of server-side security vulnerability, indicating that it allows unauthorized commands to be executed via crafted requests.
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/type
- agent/weakness
- agent/guess-ai
- agent/software-canonical-lookup
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2024-52960
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- collector/fortiguard-psirt
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/source
- agent/severity
- agent/author
- agent/tags
- agent/event
- vendor/fortinet
- canonical/fortinet fortisandbox firmware
- version/fortinet fortisandbox firmware/.
- version/fortinet fortisandbox firmware/4.4.0
- version/fortinet fortisandbox firmware/4.4.6
- version/fortinet fortisandbox firmware/4.2.0
- version/fortinet fortisandbox firmware/4.2.7
- version/fortinet fortisandbox firmware/4.0
- version/fortinet fortisandbox firmware/3.2
- version/fortinet fortisandbox firmware/3.1
- version/fortinet fortisandbox firmware/3.0