CVE-2024-31495

Name of the Vulnerable Software and Affected Versions Fortinet FortiPortal versions 7.0.0 through 7.0.6 Fortinet FortiPortal version 7.2.0

Description The issue is related to the improper neutralization of special elements used in an SQL command, also known as SQL injection, in Fortinet FortiPortal. This could allow a remote attacker to disclose protected information. The vulnerability can be exploited via the report download functionality, allowing a privileged user to obtain unauthorized information.

Recommendations For Fortinet FortiPortal versions 7.0.0 through 7.0.6, consider disabling the report download functionality until a patch is available. For Fortinet FortiPortal version 7.2.0, restrict access to the report download functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the report download functionality in Fortinet FortiPortal until the issue is resolved.