CVE-2024-33510

MEDIUM

FortiOS <7.4.3, <7.2.8, <7.0.16 - Injection

Title source: llm

Description

An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests.

References (1)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-24-033

Scores

CVSS v3 4.3

EPSS 0.0048

EPSS Percentile 65.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-358

Status published

Products (2)

fortinet/fortios 7.0.0 - 7.2.9

fortinet/fortiproxy 7.0.0 - 7.0.17

Published Nov 12, 2024

Tracked Since Feb 18, 2026