XSS in /500/rescuemode and /500/sysupgrade pages Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-24-010 Final 1 1 2025-01-14T00:00:00 Current version 2025-01-14T00:00:00 2025-01-14T00:00:00 An improper neutralization of input during wep page generation [CWE-79] vulnerability in FortiDeceptor may allow an attacker to perform a reflected cross-site scripting attack in the recovery endpoints None Execute unauthorized code or commands None Fortinet is pleased to thank Samy Younsi from NeroSwarm Deception-as-a-Service for reporting this vulnerability under responsible disclosure. FortiDeceptor 5.3.0 FortiDeceptor 5.2.0 FortiDeceptor 5.1.0 FortiDeceptor 5.0.0 FortiDeceptor 4.3.0 FortiDeceptor 4.2.0 FortiDeceptor 4.1.1 FortiDeceptor 4.1.0 FortiDeceptor 4.0.2 FortiDeceptor 4.0.1 FortiDeceptor 4.0.0 FortiDeceptor 3.3.3 FortiDeceptor 3.3.2 FortiDeceptor 3.3.1 FortiDeceptor 3.3.0 FortiDeceptor 3.2.2 FortiDeceptor 3.2.1 FortiDeceptor 3.2.0 FortiDeceptor 3.1.1 FortiDeceptor 3.1.0 FortiDeceptor 3.0.2 FortiDeceptor 3.0.1 FortiDeceptor 3.0.0 CVE-2024-35280 FortiDeceptor-5.3.0 FortiDeceptor-5.2.0 FortiDeceptor-5.1.0 FortiDeceptor-5.0.0 FortiDeceptor-4.3.0 FortiDeceptor-4.2.0 FortiDeceptor-4.1.1 FortiDeceptor-4.1.0 FortiDeceptor-4.0.2 FortiDeceptor-4.0.1 FortiDeceptor-4.0.0 FortiDeceptor-3.3.3 FortiDeceptor-3.3.2 FortiDeceptor-3.3.1 FortiDeceptor-3.3.0 FortiDeceptor-3.2.2 FortiDeceptor-3.2.1 FortiDeceptor-3.2.0 FortiDeceptor-3.1.1 FortiDeceptor-3.1.0 FortiDeceptor-3.0.2 FortiDeceptor-3.0.1 FortiDeceptor-3.0.0 5.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-24-010 XSS in /500/rescuemode and /500/sysupgrade pages Reference>