CVE-2025-24470

Feb. 11, 2025, 5:15 p.m.

8.6
High

Description

An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests.

Product(s) Impacted

Product Versions
FortiPortal
  • 7.4.0 - 7.4.2
  • 7.2.0 - 7.2.6
  • 7.0.0 - 7.0.11

Weaknesses

CWE-41
Improper Resolution of Path Equivalence
The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-015

Tags

psirt@fortinet.com
CWE-41
2025-02-11
CVE-2025-24470

CVSS Score

8.6 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Date

  • Published: Feb. 11, 2025, 5:15 p.m.
  • Last Modified: Feb. 11, 2025, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@fortinet.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.