Fortinet FortiPortal SQL Injection Vulnerability Allows Unauthorized Information Access
CVE-2024-31495

2.7LOW

Key Information:

Vendor: Fortinet
Status: Fortiportal
Vendor: CVE Published:; 11 June 2024

Summary

This vulnerability involves improper neutralization of special elements used within an SQL command, leading to SQL injection risks in Fortinet FortiPortal. Specifically, privileged users can exploit this weakness to gain unauthorized access to sensitive information through the report download functionality. This poses significant risks to data confidentiality and integrity for users of affected FortiPortal versions.

Affected Version(s)

FortiPortal 7.2.0

FortiPortal 7.0.0 <= 7.0.6

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-128

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 11, 2024
Vulnerability Reserved
Apr 4, 2024