CVE-2024-40590

Name of the Vulnerable Software and Affected Versions: FortiPortal versions 7.4.0, 7.2.4 and below, 7.0.8 and below, 6.0.15 and below

Description: The issue is related to an improper certificate validation, which may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept and tamper with the encrypted communication channel established between FortiPortal and certain endpoints, such as a FortiManager device, a FortiAnalyzer device, or an SMTP server.

Recommendations: For FortiPortal version 7.4.0, update to a version that includes the fix for the improper certificate validation issue. For FortiPortal versions 7.2.4 and below, update to a version that includes the fix for the improper certificate validation issue. For FortiPortal versions 7.0.8 and below, update to a version that includes the fix for the improper certificate validation issue. For FortiPortal versions 6.0.15 and below, update to a version that includes the fix for the improper certificate validation issue. As a temporary workaround, consider restricting access to the encrypted communication channel until a patch is available.