Lucene search
K
FortinetRecent

649 matches found

Fortinet
Fortinet
added 2023/04/11 12:0 a.m.31 views

FortiSandbox - SQL injection in certificate downloading feature

An improper neutralization of special elements used in an SQL Command 'SQL Injection' vulnerability CWE-89 in FortiSandbox may allow a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request...

4CVSS6.5AI score0.00628EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.77 views

FortiClient (Windows) - Arbitrary file creation from unprivileged users due to process impersonation

An incorrect authorization CWE-863 vulnerability in FortiClient Windows may allow a local low privileged attacker to perform arbitrary file creation in the device filesystem...

4.3CVSS7.1AI score0.00165EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.64 views

FortiWeb & FortiADC - OS command injection in CLI

An improper neutralization of special elements used in an OS command vulnerability CWE-78 in the command line interpreter of FortiWeb & FortiADC may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands...

4.3CVSS7.6AI score0.00626EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.46 views

FortiClientWindows - Arbitrary file creation by unprivileged users

A relative path traversal CWE-23 vulnerability in FortiClientWindows may allow a local low privileged attacker to perform arbitrary file creation on the device filesystem...

4.3CVSS7.1AI score0.00346EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.38 views

FortiAnalyzer & FortiManager - Lack of client-side certificate validation when establishing secure connections with FortiGuard to download outbreakalert

An improper certificate validation vulnerability CWE-295 in FortiAnalyzer and FortiManager may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources...

5.1CVSS7.8AI score0.00275EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.53 views

FortiSOAR - Server-side Template Injection in playbook execution

An improper neutralization of special elements used in a template engine vulnerability CWE-1336 in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload...

6.5CVSS8.7AI score0.01141EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.71 views

FortiAnalyzer - Improper input validation in custom dataset

An improper input validation vulnerability CWE-20 in FortiAnalyzer may allow an authenticated attacker to disclose file system information via custom dataset SQL queries...

1.7CVSS6AI score0.00187EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.121 views

CVE-2022-0847 on Linux Kernel

A security advisory was released affecting a version of the Linux Kernel used in FortiAuthenticator, FortiProxy & FortiSIEM:...

7.2CVSS7.6AI score0.89063EPSS
Exploits100Affected Software3
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.75 views

Protect

A URL redirection to untrusted site 'Open Redirect' vulnerability CWE-601 in FortiOS and FortiProxy sslvpnd may allow an authenticated attacker to redirect users to any arbitrary website via a crafted URL...

4.9CVSS5.4AI score0.00298EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.37 views

FortiNAC - Report disclosure to unauthenticated users

An exposure of sensitive information to an unauthorized actor vulnerability CWE-200 in FortiNAC may allow an unauthenticated attacker to access sensitive information via crafted HTTP requests...

5CVSS7.2AI score0.00593EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.34 views

FortiADC & FortiDDoS & FortiDDoS-F - Command injection in log & report module

An improper neutralization of special elements used in an OS command vulnerability CWE-78 in FortiADC, FortiDDoS and FortiDDoS-F may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands...

4.3CVSS7.7AI score0.0024EPSS
Exploits0Affected Software3
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.43 views

FortiADC - Cross-Site Scripting in Fabric Connectors

An improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability CWE-79 in FortiADC may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests...

4.9CVSS5.2AI score0.00392EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/04/11 12:0 a.m.31 views

FortiWeb - XSS vulnerability in HTML generated attack report files

An improper neutralization of input during web page generation CWE-79 in the FortiWeb web interface may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack XSS via injecting malicious payload in log entries used to build report...

5.8CVSS6AI score0.00642EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.37 views

FortiSOAR - Improper Authorization in request headers

An improper access control vulnerability CWE-284 in FortiSOAR's playbook component may allow an attacker authenticated on the administrative interface to perform unauthorized actions via crafted HTTP requests...

5.8CVSS6.7AI score0.00906EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.37 views

FortiWeb - command injection in webserver

An improper neutralization of special elements used in an OS command vulnerability 'OS Command Injection' CWE-78 in FortiWeb may allow authenticated users to execute unauthorized code or commands via specifically crafted HTTP requests...

6.5CVSS8.7AI score0.01691EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.35 views

FortiAuthenticator, FortiDeceptor & FortiMail - Improper restriction over excessive authentication attempts

An improper restriction of excessive authentication attempts vulnerability CWE-307 in FortiAuthenticator, FortiDeceptor & FortiMail may allow a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form...

5CVSS5.9AI score0.01808EPSS
Exploits1Affected Software3
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.54 views

FortiRecorder - DoS in login authentication mechanism

An uncontrolled resource consumption vulnerability CWE-400 in FortiRecorder login authentication mechanism may allow an unauthenticated attacker to make the device unavailable via crafted GET requests...

5CVSS7.5AI score0.0723EPSS
Exploits3Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.65 views

Protect

An access of uninitialized pointer vulnerability CWE-824 in the SSL-VPN portal of FortiOS & FortiProxy may allow a remote authenticated attacker to crash the sslvpn daemon via an HTTP GET request...

4CVSS6.1AI score0.00818EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.44 views

FortiWeb and FortiRecorder - Arbitrary file read through command line pipe

An incomplete filtering of one or more instances of special elements vulnerability CWE-792 in the command line interpreter of FortiRecorder and FortiWeb may allow an authenticated user to read arbitrary files via specially crafted command arguments...

1.7CVSS5.7AI score0.00225EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.36 views

FortiNAC - Multiple privilege escalation via sudo command

An improper privilege management vulnerability CWE-269 in FortiNAC may allow a low privilege local user with shell access to execute arbitrary commands as root...

4.3CVSS7.8AI score0.00207EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.43 views

FortiNAC - Multiple Reflected XSS

An improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability CWE-79 in FortiNAC may allow an authenticated user to perform an XSS attack via crafted HTTP requests...

4.9CVSS5.3AI score0.00514EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.37 views

FortiAnalyzer -- the log-fetch client request password is shown in clear text in the heartbeat response

An exposure of sensitive information to an unauthorized actor CWE-200 vulnerability in FortiAnalyzer may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer...

2.1CVSS4.5AI score0.00241EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.229 views

Protect

A improper limitation of a pathname to a restricted directory vulnerability 'path traversal' CWE-22 in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands...

3.2CVSS6.9AI score0.12316EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.40 views

FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch - Information disclosure through diagnose debug commands

An exposure of sensitive information to an unauthorized actor vulnerability CWE-200 in FortiManager, FortiAnalyzer, FortiPortal & FortiSwitch may allow an attacker which has obtained access to a restricted administrative account to obtain sensitive information via diagnose debug commands...

4CVSS6AI score0.00469EPSS
Exploits0Affected Software4
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.242 views

Protect

A buffer underwrite 'buffer underflow' vulnerability in FortiOS, FortiManager, FortiAnalyzer, FortiWeb, FortiProxy & FortiSwitchManager administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically...

9.6AI score0.17797EPSS
Exploits1Affected Software7
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.70 views

Protect

An exposure of sensitive information to an unauthorized actor vulnerability CWE-200 in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests...

5CVSS5.3AI score0.00559EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.73 views

FortiAnalyzer - CSV injection in macro name

An improper neutralization of formula elements vulnerability CWE 1236 in FortiAnalyzer may allow a local authenticated privileged attacker to execute arbitrary code on the end-user's host via inserting spreadsheet formulas in the macro names. This is achieved once the user downloads and opens the...

4.1CVSS7.3AI score0.00263EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/03/07 12:0 a.m.65 views

Protect

A relative path traversal vulnerability CWE-23 in FortiOS and FortiProxy may allow privileged VDOM administrators to escalate their privileges to super admin of the box via crafted CLI requests...

4CVSS7.9AI score0.00217EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.105 views

FortiNAC - External Control of File Name or Path in keyUpload scriptlet

An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system...

7.5CVSS9.2AI score0.99815EPSS
Exploits7Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.81 views

Protect

An improper certificate validation vulnerability CWE-295 in FortiOS and FortiProxy may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds when the latter are...

4CVSS7.2AI score0.00276EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.118 views

Protect

A missing cryptographic steps vulnerability CWE-325 in the functions that encrypt the DHCP and DNS keys ddns-key or n-mhae-key in FortiOS & FortiProxy configuration may allow an attacker in possession of the encrypted key to decipher it...

1.7CVSS4.6AI score0.00174EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.91 views

Protect

An improper verification of cryptographic signature vulnerability CWE-347 in FortiOS, FortiWeb, FortiProxy and FortiSwitch may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter...

4CVSS5AI score0.00287EPSS
Exploits0Affected Software4
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.38 views

FortiNAC - Multiple Stored and Reflected XSS

Several improper neutralization of inputs during web page generation vulnerability CWE-79 in FortiNAC may allow an authenticated attacker to perform several XSS attacks via crafted HTTP GET requests...

4.9CVSS5.2AI score0.00462EPSS
Exploits0
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.38 views

FortiNAC - Weak password storage

An insufficiently protected credentials vulnerability CWE-522 in FortiNAC may allow an attacker with access to the database to perform attacks to recover the passwords...

4.3CVSS7.3AI score0.00142EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.39 views

FortiWeb - Multiple OS command injection

Multiple improper neutralization of special elements used in an OS Command 'OS Command Injection' vulnerabilities CWE-78 in FortiWeb may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests...

6.5CVSS8.9AI score0.01324EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.72 views

FortiWeb - Path traversal in API controller

A relative path traversal vulnerability CWE-23 in the API of FortiWeb may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests...

4CVSS6.4AI score0.00558EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.79 views

Protect

An improper neutralization of CRLF sequences in HTTP headers 'HTTP Response Splitting' vulnerability CWE-113 in FortiOS and FortiProxy may allow an authenticated and remote attacker to inject arbitrary headers...

5.5CVSS5.6AI score0.00464EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.35 views

FortiPortal - Device password exposure in audit log

An insertion of sensitive information into log file vulnerability CWE-532 in the FortiPortal management interface may allow a remote authenticated attacker to read other devices' passwords in the audit log page...

4CVSS6AI score0.00687EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.113 views

FortiADC - OS command injection vulnerability in CLI

An improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability CWE-78 in FortiADC may allow an authenticated attacker to execute arbitrary shell code as root via CLI commands...

4.3CVSS8AI score0.00552EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.54 views

FortiWeb - Stack-based Buffer Overflow in command line interpreter

A stack-based buffer overflow CWE-121 in the command line interpreter of FortiWeb may allow an authenticated user to execute unauthorized code or commands via specially crafted command arguments...

4.3CVSS8.1AI score0.00192EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.43 views

FortiWAN - Command injection vulnerability

An improper neutralization of special elements used in an OS command vulnerability CWE-78 in the management interface of FortiWAN may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands...

6.5CVSS8.6AI score0.01284EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.85 views

FortiAnalyzer - XSS vulnerability due to AngularJS Client-Side Template injection

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiAnalyzer may allow a remote unauthenticated attacker to perform a stored cross site scripting XSS attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer...

5.8CVSS5.9AI score0.00668EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.61 views

Protect

An improper privilege management vulnerability CWE-269 in FortiOS & FortiProxy may allow an administrator that has access to the admin profile section System subsection Administrator Users to modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands...

2.9CVSS5.9AI score0.0024EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.65 views

Protect

A clear text storage of sensitive information CWE-312 vulnerability in both FortiGate and FortiAuthenticator may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via...

1.7CVSS4.1AI score0.0029EPSS
Exploits0Affected Software2
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.77 views

Protect

An improper neutralization of input during web page generation CWE-79 vulnerability in FortiOS may allow a remote, unauthenticated attacker to launch a cross site scripting XSS attack via the "redir" parameter of the URL seen when the "Sign in with FortiCloud" button is clicked. Â...

5.8CVSS5.9AI score0.00656EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.49 views

FortiWeb - Multiple Stack based buffer overflow in web interface

Multiple buffer overflow CWE-121 vulnerabilities in the web server of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted HTTP requests...

6.5CVSS9.2AI score0.00792EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.51 views

FortiWeb - Command injection in CLI backup functionality

An improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability CWE-78 in FortiWeb may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters...

7.9AI score0.01322EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.69 views

FortiWeb - Relative path traversal in web API

A path traversal vulnerability CWE-23 in the API of FortiWeb may allow a unauthenticated attacker to retrieve specific parts of files from the underlying file system via specially crafted web requests...

4CVSS5.3AI score0.00474EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.36 views

FortiSandbox - Improper password storage mechanism

A use of password hash with insufficient computational effort vulnerability CWE-916 in FortiSandbox may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords...

5CVSS7.4AI score0.00315EPSS
Exploits0Affected Software1
Fortinet
Fortinet
added 2023/02/16 12:0 a.m.29 views

FortiNAC - Multiple reflected cross-site scripting vulnerabilities in portal UI

Multiple improper neutralization of input during web page generation 'Cross-site Scripting' vulnerabilities CWE-79 in FortiNAC portal UI may allow an attacker to perform an XSS attack via crafted HTTP requests...

5.8CVSS6.1AI score0.00581EPSS
Exploits0Affected Software1
Total number of security vulnerabilities649