First published: Tue Nov 12 2024(Updated: )
An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS and FortiProxy SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests.
Affected Software | Affected Version | How to fix |
---|---|---|
Fortinet FortiOS | >=7.4.0<=7.4.3 | |
Fortinet FortiOS | >=7.2.0<=7.2.8 | |
Fortinet FortiOS | >=7.0 | |
Fortinet FortiProxy | >=7.4.0<=7.4.3 | |
Fortinet FortiProxy | >=7.2.0<=7.2.9 | |
Fortinet FortiProxy | >=7.0.0<=7.0.16 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of FG-IR-24-033 is high due to its potential for remote unauthenticated access leading to phishing attacks.
To fix FG-IR-24-033, upgrade to FortiOS version 7.4.4 or 7.2.9 and to FortiProxy version 7.4.4 or 7.2.10.
FG-IR-24-033 affects Fortinet FortiOS versions 7.4.0 to 7.4.3, 7.2.0 to 7.2.8, and FortiProxy versions 7.4.0 to 7.4.3, 7.2.0 to 7.2.9.
Yes, FG-IR-24-033 allows remote unauthenticated attackers to exploit the vulnerability through crafted requests.
FG-IR-24-033 targets an improper neutralization of special elements in output, enabling injection attacks in SSL-VPN web user interfaces.