CVE-2024-36511

Name of the Vulnerable Software and Affected Versions FortiADC Web Application Firewall (WAF) versions 6.0 through 7.4.4 FortiADC Web Application Firewall (WAF) version 7.4.5 and later are not affected, but the exact fixed version is not specified in the highest priority source, so we consider versions prior to 7.4.5 as vulnerable.

Description The issue is related to an improperly implemented security check for standard vulnerability in the FortiADC Web Application Firewall. This may allow an attacker to retrieve the initial encrypted and signed cookie protected by the feature under specific conditions when the cookie security policy is enabled.

Recommendations For FortiADC Web Application Firewall (WAF) versions 6.0 through 7.4.4, consider disabling the cookie security policy until a patch is available. Restrict access to the Web Application Firewall to minimize the risk of exploitation. Avoid using the cookie security feature in the affected Web Application Firewall until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.