Main Vulnerability Database SB2024091082

SB2024091082 - Information disclosure in FortiADC

Published: September 10, 2024

Security Bulletin ID SB2024091082

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improperly implemented security check for standard (CVE-ID: CVE-2024-36511)

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an improperly implemented security check for standard in FortiADC Web Application Firewall (WAF) when cookie security policy is enabled. A remote attacker can retrieve the initial encrypted and signed cookie protected by the feature.

Remediation

Install update from vendor's website.

References

https://www.fortiguard.com/psirt/FG-IR-22-256