9.8

CVE-2024-26011

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted packets.

Data is provided by the National Vulnerability Database (NVD)
FortinetFortios Version >= 6.0.0 < 7.0.15
FortinetFortios Version >= 7.2.0 < 7.2.8
FortinetFortios Version >= 7.4.0 < 7.4.4
FortinetFortipam Version >= 1.0.0 < 1.3.0
FortinetFortiproxy Version >= 1.0.0 < 7.0.17
FortinetFortiproxy Version >= 7.2.0 < 7.2.10
FortinetFortiproxy Version >= 7.4.0 < 7.4.4
FortinetFortimanager Version >= 6.4.0 < 6.4.15
FortinetFortimanager Version >= 7.0.0 < 7.0.12
FortinetFortimanager Version >= 7.2.0 < 7.2.5
FortinetFortimanager Version >= 7.4.0 < 7.4.3
FortinetFortiswitchmanager Version >= 7.0.0 < 7.0.4
FortinetFortiswitchmanager Version >= 7.2.0 < 7.2.4
FortinetFortiportal Version >= 5.3.0 < 6.0.15
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.05% 0.17
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
psirt@fortinet.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.