Fortinet FortiOS/FortiProxy/FortiSASE SSL-VPN Web Interface Injection Vulnerability
CVE-2024-33510 Published on November 12, 2024
An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests.
Vulnerability Analysis
CVE-2024-33510 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improperly Implemented Security Check for Standard
The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Products Associated with CVE-2024-33510
stack.watch emails you whenever new vulnerabilities are published in Fortinet FortiOS or Fortinet FortiProxy. Just hit a watch button to start following.
Affected Versions
Fortinet FortiOS:- Version 7.4.0, <= 7.4.3 is affected.
- Version 7.2.0, <= 7.2.8 is affected.
- Version 7.0.0, <= 7.0.16 is affected.
- Version 7.4.0, <= 7.4.3 is affected.
- Version 7.2.0, <= 7.2.9 is affected.
- Version 7.0.0, <= 7.0.16 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.