FortiWLC - Access of Uninitialized Pointer vulnerability

An access of uninitialized pointer CWE-824 vulnerability in FortiWLC may allow a local and authenticated attacker to crash the access point being managed by the controller by executing a crafted CLI command...

FortiEDR - Hardcoded AES key enable disabling local Collector

A use of hard-coded cryptographic key vulnerability CWE-321 in the registration mechanism of FortiEDR collectors may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment...

FortiWAN - Pervasive OS command injection

Multiple improper neutralization of special elements used in an OS command vulnerabilities CWE-78 in FortiWAN Web GUI may allow an authenticated attacker to execute arbitrary commands on the underlying system's shell via specifically crafted HTTP requests...

FortiWAN - Stored Cross-site scripting in log viewer

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiWAN may allow an attacker to perform a stored cross-site scripting attack via specifically crafted HTTP requests...

FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol

A use of a broken or risky cryptographic algorithm vulnerability CWE-327 in the Dynamic Tunnel Protocol of FortiWAN may allow an unauthenticated remote attacker to decrypt and forge protocol communication messages...

FortiWAN - Stack-based buffer overflow in bmstatd

Multiple stack-based buffer overflow vulnerabilities CWE-121 both in network daemons and in the command line interpreter of FortiWAN may allow an unauthenticated attacker to potentially corrupt control data in memory and execute arbitrary code via specifically crafted requests...

FortiWAN - Use of hardcoded salt for password hashing

A use of a one-way hash with a predictable salt vulnerability CWE-760 in FortiWAN may allow an attacker who has previously come in possession of the password file to potentially guess passwords therein stored...

FortiClient (Linux) - external access to confighandler webserver

An exposure of sensitive information to an unauthorized actor vulnerability CWE-200 in FortiClient for Linux may allow an unauthenticated attacker to access the confighandler webserver via external binaries...

FortiWAN - Pervasive SQL injection

Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiWAN may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests...

FortiEDR - Insecure RSA key transport

A use of hard-coded cryptographic key vulnerability CWE-321 in FortiEDR may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors...

CVE-2022-22965 and CVE-2022-22963 vulnerabilities

Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day attacks. The two vulnerabilities are currently known as : CVE-2022-22965 or Spring4Shell: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remot...

Protect

A security advisory was released affecting  the version of OpenSSL library used in some Fortinet products:...

FortiAP-C - Command injection in CLI

An improper neutralization of special elements used in an OS Command vulnerability CWE-78 in FortiAP-C console may allow an authenticated attacker to execute unauthorized commands by running CLI commands with specifically crafted arguments...

FortiPortal - Insecure password generation

The use of a cryptographically weak pseudo-random number generator CWE-338 in the password reset feature of FortiPortal may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame...

FortiWLM - Path traversal vulnerability

Multiple relative path traversal vulnerabilities CWE-23 in FortiWLM management interface may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests...

FortiManager --- Password observed in cleartext in the config conflict file

An exposure of sensitive system information to an unauthorized control sphere vulnerability CWE-497 in FortiManager may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file...

FortiWLM - command Injection in script handlers

An improper neutralization of special elements used in an OS command 'OS Command Injection' CWE-78 vulnerability in FortiWLM may allow an authenticated attacker to execute arbitrary shell commands via crafted HTTP requests to the alarm dashboard and controller config handlers...

FortiMail - Unsafe handling of CGI environment parameters in web server framework

An improper input validation CWE-20 vulnerability in the web server CGI facilities of FortiMail may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests...

FortiToken Mobile (Android) - Deny request approved from External push notification

An improper access control vulnerability CWE-284 in FortiToken Mobile Android external push notification may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user...

FortiWLM - SQL Injection in AP report handlers

An improper neutralization of special elements used in an SQL command 'SQL Injection' vulnerability CWE-89 in FortiWLM may allow an authenticated attacker to alter the query logic and execute arbitrary SQL statements via crafted HTTP requests to the AP monitor handlers...

Protect

An exposure of sensitive information to an unauthorized actor vulnerability CWE-200 in FortiOS may allow a privileged attacker to disclose sensitive information via SNI Client Hello TLS packets...

FortiMail - Administrative authentication bypass

An improper authentication vulnerability CWE-287 in FortiMail may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties...

FortiAnalyzer, FortiManager - bypass of client-side password change policy enforcement

An improper handling of insufficient permissions or privileges vulnerability CWE-280 in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user...

FortiWeb - OS command injection due to unsafe input validation function

An improper neutralization of special elements used in an OS command vulnerability 'OS Command Injection' CWE-78 in FortiWeb may allow authenticated users to execute unauthorized code or commands via crafted HTTP GET requests to WAD configuration handlers...

FortiAuthenticator - Improper access control in HA service

An improper access control vulnerability CWE-284 in FortiAuthenticator HA service may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database...

FortiWeb - arbitrary file/directory deletion

An improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability CWE-22 in FortiWeb management interface may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem...

FortiWeb - OS command injection due to direct input interpolation in API controllers

An improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability CWE-78 in FortiWeb may allow an authenticated attacker to execute arbitrary code or commands via crafted HTTP requests to ApplicationDelivery, JsonProtection and WebProtection controllers...

FortiExtender - Arbitrary command execution because of missing CLI input sanitization

An improper neutralization of special elements used in a command vulnerability 'Command Injection' CWE-77 in FortiExtender may allow an authenticated user to raise its privileges to admin user via crafted arguments of the execute CLI command...

FortiWeb - Stack-based buffer overflow in command line interpreter

Multiple stack-based buffer overflows CWE-121 in the command line interpreter of FortiWeb may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands...

FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection

An improper neutralization of input during web page generation vulnerability 'Cross-site Scripting' CWE-79 in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service...

Multiple Apache Vulnerabilities fixed in 2.4.52

The Apache project released an advisory, describing the following vulnerabilities:...

Apache log4j2 log messages substitution (CVE-2021-44228)

Apache Log4j =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when...

Protect

A buffer overflow CWE-121 in the TFTP client library of FortiOS, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments...

FortiWeb - Confused deputy issue on SERVER_NAME causes open proxy flaw

An unintended proxy or intermediary 'Confused Deputy' CWE-441 in FortiWeb may allow an authenticated attacker to use the device as proxy to reach any protected host via crafted HTTP requests...

FortiWeb - Incorrect handling of large requests leads to denial of service

An uncontrolled resource consumption vulnerability CWE-400 in FortiWeb may allow an unauthenticated attacker to cause a Denial of Service to the FortiWeb's HTTP daemon via sending a large amount of crafted HTTP requests...

FortiWeb - Multiple command injection vulnerabilities

Multiple command injection vulnerabilities CWE-78 in the command line interpreter of FortiWeb may allow an authenticated attacker to execute arbitrary commands on the underlying system shell via specially crafted command arguments...

FortiWeb - Multiple vulnerabilities in the authentication mechanism of confd

Multiple vulnerabilities in the authentication mechanism of FortiWeb's confd, including an instance of concurrent execution using shared resource with improper synchronization CWE-362 and one of authentication bypass by capture-replay CWE-294, may allow a remote unauthenticated attacker to...

FortiWeb - Reflected cross-site scripting in SAML login

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiWeb may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the SAML login webpage...

FortiNAC - Privilege Escalation via exploiting the SUDO privileges.

A privilege escalation vulnerability in FortiNAC may allow an admin user to escalate the privileges to root via the sudo command...

Meru AP - Unrestricted execution of OS commands as root

An improper sanitization of commands elements OS Command Injection vulnerability CWE-78 in Meru AP may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted commands in Meru AP's CLI...

Protect

An integer overflow or wraparound vulnerability CWE-190 in FortiOS SSLVPN memory allocator may allow an unauthenticated attacker to corrupt control data on the heap via specifically crafted requests to SSLVPN, resulting in potentially arbitrary code execution...

FortiSandbox, FortiWeb, FortiADC, FortiMail - Multiple cryptographic flaws allow for full LDAP and RADIUS passwords compromise

A missing cryptographic steps vulnerability CWE-325 in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox, FortiWeb, FortiADC, and FortiMail may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.Â...

FortiWeb - Unauthorized user is granted access to the Reports available in the Log & Report section

An improper access control vulnerability CWE-284 in the Report Browse section of FortiWeb's Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs...

FortiWeb - Reflected cross-site scripting in error controllers

Multiple improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 in FortiWeb may allow an unauthenticated user to inject malicious javascript code into the response webpage via crafted requests to device's error handlers...

Protect

An improper access control vulnerability CWE-284 in FortiOS and FortiProxy autod daemon may allow an authenticated low-privileged attacker to escalate their privileges to superadmin via a specific crafted configuration of fabric automation CLI script and auto-script features...

Protect

A download of code without integrity check vulnerability CWE-494 in the "execute restore src-vis" command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages...

FortiClient (Windows) - Denial of service due to folder access permission change

An improper control of a resource through its lifetime CWE-664 vulnerability in FortiClient Windows may allow a privileged attacker to make the whole application unresponsive via changing its root directory access permission...

FortiWeb - Open redirect due to missing domain whitelisting

A URL redirection to untrusted site 'Open Redirect' CWE-601 in FortiWeb may allow an authenticated attacker to use the device as proxy to reach any protected host via crafted HTTP requests...

FortiWLC - Improper authenticated access control

An improper access control vulnerability CWE-284 in FortiWLC may allow an authenticated and remote attacker with low privileges to execute any command as an admin user with full access rights via bypassing the GUI restrictions...

FortiWeb - OS command injection

Multiple improper neutralization of special elements used in a command vulnerabilities CWE-77 in FortiWeb management interface may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests...