CVE-2024-47570

EUVD-2024-55312

09.12.2025, 18:15

An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.6 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
fortinet	CNA	6.3 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
fortinet	fortiproxy	7.2.0 ≤ 𝑥 < 7.2.12
fortinet	fortiproxy	7.4.0 ≤ 𝑥 < 7.4.4
fortinet	fortisase	24.1.37
fortinet	fortisra	1.4.0 ≤ 𝑥 ≤ 1.4.3
fortinet	fortios	7.0.4 ≤ 𝑥 ≤ 7.0.17
fortinet	fortios	7.2.0 ≤ 𝑥 < 7.2.8
fortinet	fortios	7.4.0 ≤ 𝑥 < 7.4.4
fortinet	fortipam	1.0.0 ≤ 𝑥 ≤ 1.4.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://fortiguard.fortinet.com/psirt/FG-IR-24-268