Severity
Medium
Analysis Summary
CVE-2024-31393 CVSS:6.5
Fortinet FortiSOAR could allow a remote authenticated attacker to obtain sensitive information, caused by an improper removal of sensitive information before storage or transfer vulnerability. By sending a specially crafted request, a remote attacker could exploit this vulnerability to read Connector passwords in plain-text.
CVE-2024-23111 CVSS:6.8
Fortinet FortiOS/ FortiProxy is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the reboot page. A remote attacker could exploit this vulnerability to execute a script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-21754 CVSS:1.8
Fortinet FortiOS could provide weaker than expected security, caused by a vulnerability in the use of password hash with insufficient computational effort. A remote attacker could exploit this vulnerability to decrypt the backup file.
CVE-2024-26010, CVE-2024-23110, CVE-2024-46720
Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion in V8. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Gain Access
- Buffer Overflow
- Information Obtained
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-31393
- CVE-2024-23111
- CVE-2024-21754
- CVE-2024-26010
- CVE-2024-23110
- CVE-2024-46720
Affected Vendors
Affected Products
- Fortinet FortiSOAR 7.2.0
- Fortinet FortiSOAR 7.3.0
- Fortinet FortiOS 7.4.2
- Fortinet FortiSOAR 7.0.0
- Fortinet FortiOS 7.4.3
- Fortinet FortiProxy 7.4.2
Remediation
Refer to Fortinet Security Advisory for patch, upgrade, or suggested workaround information.