CVE-2024-27781
Published: 11 February 2025
Summary
CVE-2024-27781 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-27781 is a cross-site scripting vulnerability caused by improper neutralization of input during web page generation in Fortinet FortiSandbox. The flaw affects versions 4.4.0 through 4.4.4, 4.2.1 through 4.2.6, 4.0.0 through 4.0.4, and all versions of 3.2, 3.1, and 3.0, and is tracked under CWE-79.
An authenticated attacker can exploit the issue over the network by submitting crafted HTTP requests, resulting in execution of unauthorized code or commands. The vulnerability carries a CVSS 3.1 score of 7.1 with the vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H.
Fortinet has published advisory FG-IR-24-063 addressing the issue. The associated EPSS score has remained flat at 0.0751 with no material increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-24974
Vulnerability details
An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an…
more
authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS (CWE-79) in network-accessible web management interface directly enables exploitation of public-facing application (T1190) and injection/execution of arbitrary JavaScript (T1059.007) via crafted requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation, directly addressing the improper neutralization of input during web page generation that enables this XSS vulnerability in FortiSandbox.
SI-15 requires information output filtering, preventing the injection of malicious scripts into generated web pages viewed by authenticated users exploiting this CVE.
SI-2 ensures timely flaw remediation through patching, directly mitigating this specific XSS vulnerability as recommended in the Fortinet advisory.