CVE-2024-35280

Summary

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiDeceptor 5.3.0, FortiDeceptor 5.2.0, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions, FortiDeceptor 3.3 all versions, FortiDeceptor 3.2 all versions, FortiDeceptor 3.1 all versions, FortiDeceptor 3.0 all versions may allow an attacker to perform a reflected cross-site scripting attack in the recovery endpoints

Affected Software

VendorProductVersion RangeStatus
FortinetFortiDeceptor5.3.0affected
FortinetFortiDeceptor5.2.0affected
FortinetFortiDeceptor5.1.0affected
FortinetFortiDeceptor5.0.0affected
FortinetFortiDeceptor4.3.0affected
FortinetFortiDeceptor4.2.0affected
FortinetFortiDeceptor4.1.0 <= 4.1.1affected
FortinetFortiDeceptor4.0.0 <= 4.0.2affected
FortinetFortiDeceptor3.3.0 <= 3.3.3affected
FortinetFortiDeceptor3.2.0 <= 3.2.2affected
FortinetFortiDeceptor3.1.0 <= 3.1.1affected
FortinetFortiDeceptor3.0.0 <= 3.0.2affected

Weaknesses

  • CWE-79: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References