CVE-2024-27781
Published: 11 February 2025
Description
An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
Security Summary
CVE-2024-27781 is a cross-site scripting (XSS) vulnerability stemming from improper neutralization of input during web page generation, classified under CWE-79. It affects multiple versions of Fortinet FortiSandbox, specifically 4.4.0 through 4.4.4, 4.2.1 through 4.2.6, 4.0.0 through 4.0.4, as well as all versions of 3.2, 3.1, and 3.0. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts under certain conditions.
An authenticated attacker with low privileges can exploit this vulnerability by sending crafted HTTP requests, potentially leading to the execution of unauthorized code or commands. Exploitation requires network access, high attack complexity, and user interaction, making it feasible in scenarios where a legitimate user with access to the FortiSandbox management interface is tricked into interacting with malicious content.
For mitigation details, refer to the Fortinet advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-063, which provides guidance on patches and workarounds for affected versions.
Details
- CWE(s)