CVE-2024-33510

An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fortiguard.fortinet.com/psirt/FG-IR-24-033	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortiproxy::::::::
	cpe:2.3:a:fortinet:fortiproxy::::::::
	cpe:2.3:a:fortinet:fortiproxy::::::::
	cpe:2.3:o:fortinet:fortios::::::::
	cpe:2.3:o:fortinet:fortios::::::::

History

17 Jan 2025, 20:35

Type	Values Removed	Values Added
CPE		cpe:2.3:o:fortinet:fortios:::::::: cpe:2.3:a:fortinet:fortiproxy::::::::
CWE		NVD-CWE-Other
References	~~() https://fortiguard.fortinet.com/psirt/FG-IR-24-033 -~~	() https://fortiguard.fortinet.com/psirt/FG-IR-24-033 - Vendor Advisory
First Time		Fortinet fortiproxy Fortinet Fortinet fortios

Information

Published : 2024-11-12 19:15

Updated : 2025-01-17 20:35

NVD link : CVE-2024-33510

Mitre link : CVE-2024-33510

CVE.ORG link : CVE-2024-33510

JSON object : View

Products Affected

fortinet

fortiproxy
fortios

CWE

CWE-358

Improperly Implemented Security Check for Standard

NVD-CWE-Other

{"id": "CVE-2024-33510", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-11-12T19:15:09.723", "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-033", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-358"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "An\u00a0improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests."}, {"lang": "es", "value": "Una vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales en la salida utilizada por un componente descendente ('Inyecci\u00f3n') [CWE-74] en FortiOS versi\u00f3n 7.4.3 y anteriores, versi\u00f3n 7.2.8 y anteriores, versi\u00f3n 7.0.16 y anteriores; FortiProxy versi\u00f3n 7.4.3 y anteriores, versi\u00f3n 7.2.9 y anteriores, versi\u00f3n 7.0.16 y anteriores; FortiSASE versi\u00f3n 24.2.b La interfaz de usuario web SSL-VPN puede permitir que un atacante remoto no autenticado realice intentos de phishing a trav\u00e9s de solicitudes manipuladas."}], "lastModified": "2025-01-17T20:35:31.247", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C98BE382-7A23-4231-9D1B-5D7946848F99", "versionEndExcluding": "7.0.17", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDFFA2C3-0A23-4884-B751-785BE598DFF3", "versionEndExcluding": "7.2.10", "versionStartIncluding": "7.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F2C29AD-A11F-4A5F-8BB0-8600D5F77E72", "versionEndExcluding": "7.4.4", "versionStartIncluding": "7.4.0"}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC7395B0-2864-49E3-8B70-935A17EF3162", "versionEndExcluding": "7.2.9", "versionStartIncluding": "7.0.0"}, {"criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FDDB5F3-D229-4208-9110-8860A03C8B59", "versionEndExcluding": "7.4.4", "versionStartIncluding": "7.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}