PT-2024-5733 · Fortinet · Fortiproxy+1

Published

2024-07-09

Updated

2025-03-19

CVE-2024-26006

CVSS v2.0

7.6

High

Vector

AV:N/AC:H/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions FortiOS versions prior to the fixed version FortiProxy versions prior to the fixed version

Description The issue exists due to improper neutralization of input during web page generation, allowing a remote attacker to perform Cross-Site Scripting attacks. This can be achieved through social engineering, where the targeted user is tricked into bookmarking a malicious Samba server and then opening the bookmark.

Recommendations For FortiOS versions prior to the fixed version, update to the latest version to resolve the issue. For FortiProxy versions prior to the fixed version, update to the latest version to resolve the issue. As a temporary workaround, consider restricting access to the web SSL VPN UI to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2024-06446

CVE-2024-26006

Affected Products

Fortios

Fortiproxy

PT-2024-5733 · Fortinet · Fortiproxy+1

CVE-2024-26006

Weakness Enumeration

Related Identifiers

Affected Products

References · 13