CVE-2024-23111: An improper neutralization of input during web page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS version 7.4.3 and below,...
Description
An improper neutralization of input during web page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions reboot page may allow a remote privileged attacker with super-admin access to execute JavaScript code via crafted HTTP GET requests.
Classification
CVE ID: CVE-2024-23111
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Problem Types
Execute unauthorized code or commandsAffected Products
Vendor: Fortinet
Product: FortiOS, FortiProxy
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 12.92% (scored less or equal to compared to others)
EPSS Date: 2025-05-30 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: manipulation
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-23111https://fortiguard.fortinet.com/psirt/FG-IR-23-471