Details of VAR-202501-2603

ID

VAR-202501-2603

CVE

CVE-2024-27778

TITLE

fortinet's FortiSandbox In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-018404

DESCRIPTION

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.5 through 3.0.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. fortinet's FortiSandbox for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-27778 // JVNDB: JVNDB-2024-018404

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.0.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.0.5 that's all 4.0.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.2.0 that's all 4.2.7	Trust: 0.8

sources: JVNDB: JVNDB-2024-018404 // NVD: CVE-2024-27778

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-27778
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-27778
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-27778
value:	HIGH
Trust: 0.8

psirt@fortinet.com:	CVE-2024-27778
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-27778
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-018404 // NVD: CVE-2024-27778 // NVD: CVE-2024-27778

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-018404 // NVD: CVE-2024-27778

PATCH

title:

FG-IR-24-061

url:

https://fortiguard.fortinet.com/psirt/FG-IR-24-061

Trust: 0.8

sources: JVNDB: JVNDB-2024-018404

EXTERNAL IDS

db:	NVD	id:	CVE-2024-27778	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-018404	Trust: 0.8

sources: JVNDB: JVNDB-2024-018404 // NVD: CVE-2024-27778

REFERENCES

url:	https://fortiguard.fortinet.com/psirt/fg-ir-24-061	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-27778	Trust: 0.8

sources: JVNDB: JVNDB-2024-018404 // NVD: CVE-2024-27778

SOURCES

db:	JVNDB	id:	JVNDB-2024-018404
db:	NVD	id:	CVE-2024-27778

LAST UPDATE DATE

2026-01-14T23:20:47.018000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-018404	date:	2025-02-07T06:49:00
db:	NVD	id:	CVE-2024-27778	date:	2026-01-14T15:15:54.763

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-018404	date:	2025-02-07T00:00:00
db:	NVD	id:	CVE-2024-27778	date:	2025-01-14T14:15:29.053