CVE-2024-40590 MEDIUM

CVE-2024-40590

Vendor Fortinet
Product FortiPortal
Weakness CWE-295
Published March 14, 2025
Last update March 14, 2025

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:U/RC:R

What the vulnerability does

01Description

An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints.

Key dates

02Disclosure timeline

March 14, 2025 CVE published
March 14, 2025 Record updated