CVE-2024-33510

Name of the Vulnerable Software and Affected Versions FortiOS versions prior to 7.4.4 FortiProxy versions prior to 7.4.4 FortiSASE version 24.2.b and earlier

Description The issue is related to an improper neutralization of special elements in output used by a downstream component, which may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests. This can be exploited through the SSL-VPN web user interface.

Recommendations For FortiOS versions prior to 7.4.4, update to version 7.4.4 or later to resolve the issue. For FortiProxy versions prior to 7.4.4, update to version 7.4.4 or later to resolve the issue. For FortiSASE version 24.2.b and earlier, update to a version later than 24.2.b to resolve the issue. As a temporary workaround, consider restricting access to the SSL-VPN web user interface to minimize the risk of exploitation.