CVE-2024-45324: A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version...
Description
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands.
Classification
CVE ID: CVE-2024-45324
CVSS Base Severity: HIGH
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C
Problem Types
Execute unauthorized code or commandsAffected Products
Vendor: Fortinet, Fortinet, Fortinet, Fortinet, Fortinet
Product: FortiPAM, FortiProxy, FortiSRA, FortiWeb, FortiOS
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.15% (probability of being exploited)
EPSS Percentile: 31.53% (scored less or equal to compared to others)
EPSS Date: 2025-04-09 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-45324https://fortiguard.fortinet.com/psirt/FG-IR-24-325