Protect

A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiOS; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a...

Protect

An Improper Neutralization of Input vulnerability in the hostname parameter of a DHCP packet under DHCP monitor page may allow an unauthenticated attacker in the same network as the FortiGate to perform a Stored Cross Site Scripting attack XSS by sending a crafted DHCP packet...

Protect

A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to superadmin, via restoring modified configurations...

Protect

VM appliance lack of root file system integrity check may allow an attacker with read/write access to the VM image before it is booted up to inject malicious implants in the image...

Protect

Improper permission or value checking in the CLI console may allow a non-privileged user to obtain plaint text private keys of system's builtin local certificates via unsetting the keys encryption password or for user uploaded local certificates via setting an empty password. Note that backed up...

Protect

Multiple integer overflow and out of bounds read/write vulnerabilities in the SSL VPN web-mode SSH client may allow an unauthenticated attacker to cause the SSL VPN user session to break Denial of service and possibly to run arbitrary code via specially crafted packets sent from a malicious SSH...

Protect

An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS and FortiProxy may allow an unauthenticated remote attacker to crash the SSL VPN service by sending a crafted POST request...

Console window of FortiClient for Mac OS displays password in clear-text.

A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway...

FortiExtender OS command injection through execute date CLI command

An OS command injection vulnerability in FortiExtender CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands...

Command injection vulnerability in FortiClient for Mac OS

An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to execute unauthorized code as root by bypassing a security check...

Protect

Multiple information exposure vulnerabilities in FortiOS may allow an unauthenticated attacker to perform some information gathering via parsing the HTTP headers, web portal certificate, and error messages. The exposed information includes the FortiGate's model, serial number and internal IP...

FortiClient Windows Service or Process Tampering

FortiClient for Windows could be subject to the following shut down or tampering attempts:...

FortiSIEM external authentication password reflected in external authentication profile

An information exposure vulnerability in the external authentication profile form of FortiSIEM may allow an authenticated attacker to retrieve the external authentication password via the HTML source code.This could potentially aggravate attacks targeting the authenticated admin session, should...

XSS vulnerability in FortiClientEMS

An Improper Neutralization of Input During Web Page Generation in FortiClientEMS may allow a remote attacker to execute unauthorized code by injecting malicious payload in the user profile of a FortiClient instance being managed by the vulnerable system...

IPMI network LAN interface failover operational risk

Some models of FortiAnalyzer and FortiManager have a default setting of "Failover", for remote IPMI access; this means that if no cable is plugged in the IPMI port, the IPMI implementation will request an IP address on the regular LAN port of the device, via DHCP requests...

HTTP/2 Multiple DoS Attacks (VU#605641)

Improper implementations of the HTTP/2 protocol can lead to a variety denial-of-service DoS attacks...

Protect

An Improper Authorization vulnerability in the SSL VPN web portal may allow an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests...

Wind River VxWorks IPnet TCP/IP Stack Vulnerabilities (aka. URGENT/11)

11 zero day vulnerabilities aka. URGENT/11 were disclosed in VxWorks® TCP/IP stack IPnet:...

Meltdown and Spectre class vulnerabilities

New types of side channel attacks impact most processors including Intel, AMD, ARM, etc. These attacks allow malicious userspace processes to read kernel memory, thus potentially causing kernel sensitive information to leak...

Protect

Failure to sanitize input in the SSL VPN web portal may allow an attacker to perform a reflected Cross-site Scripting XSS attack via multiple parameters of the error page HTTP request...

FortiRecorder sets credentials of FortiCameras to static values

An Use of Hard-coded Credentials vulnerability in FortiRecorder may allow an unauthenticated attacker with knowledge of the aforementioned credentials and network access to FortiCameras to take control of those, provided they are managed by a FortiRecorder device...

Protect

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server...

FortiOS TCP timestamp response

FortiOS by default enables TCP timestamp response, which may lead to information disclosure...

Protect

Multiple Fortinet products may be affected by the following Linux Kernel vulnerability:...

Protect

FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic.Â...

Protect

Certificates taken out of service could potentially be improperly re-used.Â...

XSS vulnerability in FortiNAC admin webUI search field

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" in FortiNAC admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI...

Cross-Site-Scripting (XSS) vulnerabilty in Fortiweb reports

The URL part of the report message is not encoded in Fortinet FortiWeb which may allow an attacker to execute unauthorized code or commands Cross Site Scripting via attack reports generated in HTML format...

Protect

Server Message Block SMB 1.0 - a legacy file and print sharing protocol - has been deprecated by Microsoft due to multiple weaknesses remote code execution, downgrade, man-in-the-middle, collision and pre-image attack...

Protect

Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting XSS or an URL Redirection attack...

Protect

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests...

Protect

Failure to properly parse message payloads in the SSL VPN portal of FortiOS may allow a non-authenticated attacker to perform a Denial of Service attack via exploiting a buffer overflow...

FortiCASB data pattern name XSS vulnerability

Failure to sanitize input in the customized data pattern webpage of FortiCASBÂ may allow an authenticated attacker to conduct a stored XSS attack via the name parameter...

Multiple VPN applications insecurely store session cookies

The Missing Encryption Of Sensitive Data vulnerability in FortiClient may allow an attacker to access VPN session cookie from an endpoint device running FortiClient. The attacker can steal the cookies only if endpoint device has been compromised in such a way that the attacker has access to...

FortiManager Unencrypted Password Vulnerability

A cleartext transmission of sensitive information vulnerability in FortiManager may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses...

FortiAP Bleeding Bit Vulnerability

Some FortiAP models are vulnerable to the Bleeding Bit Vulnerability CVE-2018-16986 present in the Texas Instruments WiFi chips...

Protect

FortiSwitch is vulnerable to multiple Cross-site Scripting XSS attacks present in the jQuery javascript library...

Protect

An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component...

FortiSandbox reflected XSS in the file scan component

A reflected Cross-Site-Scripting XSS vulnerability in Fortinet FortiSandbox may allow an attacker to execute unauthorized code or commands via the backurl parameter in the file scan component...

FortiClient Mac is vulnerable to a local denial of service

An improper access control vulnerability in FortiClientMac may allow an attacker to affect the application's performance via modifying the content of a file used by several FortiClientMac processes...

FortiSIEM LDAP server password reflected in admin portal

An information exposure vulnerability in the admin portal of FortiSIEM may allow an authenticated admin to retrieve the LDAP server password via the HTML source code. This could potentially aggravate attacks targeting the authenticated admin session, should they exist XSS, social engineering, pro...

Protect

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted...

Protect

There is a format string vulnerability in the SSH username handling when connecting to FortiOS 5.6.0, that may lead to memory corruption...

FortiClient NDIS Miniport Driver Null Pointer Dereference

There is a Null pointer dereference in the NDIS Miniport drivers in FortiClient on Windows, which may be leveraged by an unprivileged user to cause a Denial of Service BSOD...

FortiClient local privilege escalation exploit chain

A researcher has disclosed several vulnerabilities against FortiClient for Windows, the combination of these vulnerabilities can turn into an exploit chain, which allows a user to gain system privileges on Microsoft Windows...

Uninitialized memory buffer leak in FortiOS explicit web proxy

An uninitialized memory buffer leak exists in FortiOS web proxy's disclaimer response web pages, potentially causing sensitive data to be displayed in the HTTP response...

CVE-2018-10933 libssh authentication bypass

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2MSGUSERAUTHSUCCESS message in place of the SSH2MSGUSERAUTHREQUEST message which the server would expect to initiate authentication, the attacker could successfully...

Cross-site scripting (XSS) vulnerability via DHCP Hostname parameter

An attacker could send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager with FortiAnalyzer feature enabled...

Serial number disclosure in the FortiOS PPTP server hostname protocol field

Fortigate PPTP service reveals serial number of FortiGate in the hostname field defined in connection control setup packets of PPTP protocol...

VPNFilter botnet

On May 23, 2018, Talos disclosed in a blog post the discovery of a modular malware system they deemed "VPNFilter", affecting multiple network devices wordwide, and embedding Botnet capabilities...