CVE-2024-27783

Multiple cross-site request forgery (CSRF) vulnerabilities [CWE-352] in FortiAIOps version 2.0.0 may allow an unauthenticated remote attacker to perform arbitrary actions on behalf of an authenticated user via tricking the victim to execute malicious GET requests.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-070	Vendor Advisory
https://fortiguard.fortinet.com/psirt/FG-IR-24-070	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:fortinet:fortiaiops:2.0.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-07-09 16:15

Updated : 2024-11-21 09:05

NVD link : CVE-2024-27783

Mitre link : CVE-2024-27783

CVE.ORG link : CVE-2024-27783

JSON object : View

Products Affected

fortinet

fortiaiops

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-27783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-07-09T16:15:05.240", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-070", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}, {"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-070", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities [CWE-352] in FortiAIOps version 2.0.0 may allow an unauthenticated remote attacker to perform arbitrary actions on behalf of an authenticated user via tricking the victim to execute malicious GET requests."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de Cross Site Request Forgery (CSRF) [CWE-352] en FortiAIOps versi\u00f3n 2.0.0 pueden permitir que un atacante remoto no autenticado realice acciones arbitrarias en nombre de un usuario autenticado enga\u00f1ando a la v\u00edctima para que ejecute solicitudes GET maliciosas."}], "lastModified": "2024-11-21T09:05:02.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiaiops:2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46735B4F-511E-4C02-A561-FCF029146F79"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}