Severity
Medium
Analysis Summary
CVE-2024-50570 CVSS:5
A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiClientWindows 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13 and FortiClientLinux 7.4.0 through 7.4.2, 7.2.0 through 7.2.7, 7.0.0 through 7.0.13 may permit a local authenticated user to retrieve VPN password via memory dump, due to JavaScript's garbage collector
CVE-2024-48889 CVSS:7.2
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12 and below, version 6.4.14 and below and FortiManager Cloud version 7.4.4 and below, version 7.2.7 to 7.2.1, version 7.0.12 to 7.0.1 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests.
Impact
- Information Disclosure
- Code Execution
Indicators of Compromise
CVE
- CVE-2024-50570
- CVE-2024-48889
Affected Vendors
Affected Products
- Fortinet FortiClientMac - 7.4.0 - 7.2.0 - 7.0.0
- Fortinet FortiClientLinux - 7.4.0 - 7.2.0 - 7.0.0
- Fortinet FortiClientWindows - 7.4.0 - 7.2.0 - 7.0.0
- Fortinet FortiManager - 7.6.0 - 7.4.0 - 7.2.3 - 7.0.5 - 6.4.10
Remediation
Refer to Fortinet FortiGuard Security Advisory for patch, upgrade, or suggested workaround information.