Severity
Medium
Analysis Summary
CVE-2024-55594 CVSS:5.6
An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.
CVE-2023-48785 CVSS:4.4
An improper certificate validation vulnerability [CWE-295] in FortiNAC-F version 7.2.4 and below may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the HTTPS communication channel between the FortiOS device, an inventory.
CVE-2024-47573 CVSS:6
An improper validation of integrity check value vulnerability [CWE-354] in FortiNDR version 7.4.2 and below, version 7.2.1 and below, version 7.1.1 and below, version 7.0.6 and below may allow an authenticated attacker with at least Read/Write permission on system maintenance to install a corrupted firmware image.
CVE-2024-46662 CVSS:8.3
A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to escalation of privilege via specifically crafted packets.
Impact
- Security Bypass
- Code Execution
- Privilege Escalation
- Gain Access
Indicators of Compromise
CVE
CVE-2024-55594
CVE-2023-48785
CVE-2024-47573
CVE-2024-46662
Affected Vendors
- Fortinet
Affected Products
- Fortinet FortiWeb - 7.4.0
- Fortinet FortiWeb - 7.2.0
- Fortinet FortiWeb - 7.0.0
- Fortinet FortiNAC-F - 7.2.0
- Fortinet FortiNDR - 7.4.0 - 7.2.0 - 7.1.0 - 7.0.0
- Fortinet FortiManager - 7.4.1
Remediation
Upgrade to the latest version, available from the Fortiguard Website.