CVE-2024-31488: 
FortiNAC vulnerability analysis and mitigation

An improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC affects multiple versions including 9.4.0 through 9.4.4, 9.2.0 through 9.2.8, 9.1.0 through 9.1.10, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, and 7.2.0 through 7.2.3. The vulnerability was discovered internally by Fortinet's QA team members Heidi White and Brian Bull and was initially published on May 14, 2024 (Fortinet Advisory, NVD).

The vulnerability is classified as an improper neutralization of input during web page generation (CWE-79) that affects the GUI component of FortiNAC. It has been assigned a CVSS v3.1 base score of 6.8 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) by Fortinet, while the NVD has assessed it with a CVSS v3.1 base score of 9.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) (NVD).

The vulnerability allows a remote authenticated attacker to perform both stored and reflected cross-site scripting (XSS) attacks through crafted HTTP requests. This can lead to the execution of unauthorized code or commands in the context of the user's browser (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiNAC 9.4.x should upgrade to version 9.4.5 or above, while users of FortiNAC 7.2.x should upgrade to version 7.2.4 or above. Users of FortiNAC versions 9.2.x, 9.1.x, 8.8.x, and 8.7.x should migrate to a fixed release (Fortinet Advisory).