CVE-2024-23664: CW:601 was fixed by Fortinet (20th May 2024)

Initial publication: 14th May 2024

Preface: What happens if a website uses a user-supplied URL in a URL fragment to redirect the logged-in user to the requested page?

Background: CWE 601 – An open redirect vulnerability occurs when an application allows the user to control redirects or forward to another URL. If the application does not validate untrusted user input, an attacker could provide a URL that redirects an unsuspecting victim from a legitimate domain to the attacker’s phishing site.

Vulnerability details: CVE-2024-23664: A URL redirection to untrusted site (‘Open Redirect’) (CWE-601) vulnerability in FortiAuthenticator may allow an attacker to redirect users to an arbitrary website via a crafted URL.

Ref: You should validate the workspace ID first. If the workspace ID is valid, you can proceed with the HTTP request and return the response. However, if the workspace ID is invalid, you should handle the error appropriately.

Official details: Please refer to the link for details – https://fortiguard.fortinet.com/psirt/FG-IR-23-465

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.