CVE-2024-26006: 
FortiOS vulnerability analysis and mitigation

CVE-2024-26006 is a Cross-Site Scripting (XSS) vulnerability discovered in FortiOS and FortiProxy's SSL VPN web UI. The vulnerability was initially published on July 9, 2024, and affects multiple versions of FortiOS (7.4.3 and below, 7.2.7 and below, 7.0.13 and below) and FortiProxy (7.4.3 and below, 7.2.9 and below, 7.0.16 and below). The vulnerability was reported by Jamie Riden from IOActive under responsible disclosure (Fortinet PSIRT).

The vulnerability is classified as an improper neutralization of input during web page generation vulnerability (CWE-79). It has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability exists in the web SSL VPN UI component and could allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack through a specific attack vector involving a malicious samba server (NVD, Fortinet PSIRT).

If successfully exploited, this vulnerability could allow an attacker to execute unauthorized code or commands through cross-site scripting. The attack requires user interaction as it involves social engineering the targeted user into bookmarking a malicious samba server and then opening the bookmark (Fortinet PSIRT).

Fortinet has released patches for affected versions. Users should upgrade to FortiOS 7.4.4 or above, 7.2.8 or above, 7.0.14 or above, and FortiProxy 7.4.4 or above, 7.2.10 or above, 7.0.17 or above. For FortiOS 6.4, users should migrate to a fixed release. As a temporary workaround, administrators can disable SSL-VPN web-mode. Fortinet provides an upgrade path tool at their documentation site (Fortinet PSIRT).