Skip to main content

Fortiadc CVE-2024-36511

LOW
Improperly Implemented Security Check for Standard (CWE-358)
2024-09-10 psirt@fortinet.com
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 10, 2024 - 15:15 nvd
LOW 3.7

DescriptionNVD

An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature

AnalysisAI

An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-358. An improperly implemented security check for standard vulnerability [CWE-358] in FortiADC Web Application Firewall (WAF) 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an attacker, under specific conditions, to retrieve the initial encrypted and signed cookie protected by the feature Affected products include: Fortinet Fortiadc. Version information: through 7.4.4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-38381 CRITICAL
9.8 Nov 02

An improper handling of malformed request vulnerability [CWE-228] exists in FortiADC 5.0 all versions, 6.0.0 all version

CVE-2023-25603 CRITICAL
9.1 Nov 14

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.

CVE-2023-26205 HIGH
8.8 Nov 14

An improper access control vulnerability [CWE-284] in FortiADC automation feature 7.1.0 through 7.1.2, 7.0 all versions,

CVE-2022-33875 HIGH
8.8 Dec 06

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiA

CVE-2022-26120 HIGH
8.8 Jul 18

Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] i

CVE-2023-25607 HIGH
7.8 Oct 10

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78 ] in

CVE-2023-28000 HIGH
7.8 Jun 13

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC CLI 7.1.0, 7.0.0

CVE-2023-26210 HIGH
7.8 Jun 13

Multiple improper neutralization of special elements used in an os command ('OS Command Injection') vulnerabilties [CWE-

CVE-2023-27999 HIGH
7.8 May 03

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 7.2.0, 7.1.0 thr

CVE-2022-22299 HIGH
7.8 Aug 05

A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiAD

CVE-2025-31104 HIGH
7.2 Jun 10

FortiADC versions 6.1 through 7.6.1 contain an OS command injection vulnerability (CWE-78) that allows authenticated att

CVE-2023-27993 HIGH
7.1 May 03

A relative path traversal [CWE-23] in Fortinet FortiADC version 7.2.0 and before 7.1.1 allows a privileged attacker to d

Share

CVE-2024-36511 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy