CVE-2024-27781 - Vulnerability Details

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Fortinet	Fortisandbox

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox::::::::

No data.

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-24-063

History

Wed, 14 Jan 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description	An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox at least versions 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.	An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
CPEs		cpe:2.3:a:fortinet:fortisandbox:3.0.0:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.1:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.2:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.3:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.4:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.5:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.6:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.7:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.0:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.1:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.2:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.3:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.4:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.5:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.0:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.1:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.2:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.3:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.0:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.1:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.2:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.3:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.1:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.2:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.3:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.5:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.6:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.0:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.1:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.2:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.3:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.4:::::::*

Tue, 22 Jul 2025 21:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:fortinet:fortisandbox::::::::

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00078}`	epss `{'score': 0.00091}`

Wed, 12 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 11 Feb 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox at least versions 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
Weaknesses		CWE-79
References		https://fortiguard.fortinet.com/psirt/FG-IR-24-063
Metrics		cvssV3_1 `{'score': 6.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X'}`

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2025-02-11T16:09:12.324Z

Updated: 2026-01-14T13:46:33.041Z

Reserved: 2024-02-26T14:46:31.335Z

Link: CVE-2024-27781

Vulnrichment

Updated: 2025-02-12T15:53:44.819Z

NVD

Status : Modified

Published: 2025-02-11T17:15:21.980

Modified: 2026-01-14T14:16:10.533

Link: CVE-2024-27781

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object