CVE-2024-36510

Published: Jan 14, 2025Modified: Jan 31, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to enumerate valid users via observing login request responses.

Affected (5)

Products: Fortinet: Forticlientems, Fortisoar

Fortinet

2 products

Forticlientems

Fortisoar

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Fortinet Forticlientems	From 7.0.0 to 7.2.5
Fortinet Forticlientems	Version 7.4.0
Fortinet Fortisoar	From 6.4.0 to 7.3.3
Fortinet Fortisoar	From 7.4.0 to 7.4.5
Fortinet Fortisoar	Version 7.5.0

Related CWEs

CWE-203

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-204

Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-071

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.