FortiManager - Excel formula injection in P&O IPv4 Policy names Vulnerability

An improper neutralization of formula elements vulnerability CWE 1236 in FortiManager may allow a local authenticated privileged attacker to execute arbitrary shell code on the end-user's host via inserting CSV formula in the policy names. This is achieved once the user downloads and opens the...

Protect

An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS CLI may allow a local and authenticated user assigned to a specific VDOM to retrieve other VDOMs information such as the admin account list and the network interface list. Â...

FortiClient Linux - Command injection vulnerability

An OS command injection CWE-78 vulnerability in FortiClient for Linux may allow an unauthenticated, network-adjacent attacker to execute privileged and arbitrary commands on the Linux appliance on which FortiClient is running by tricking the user into connecting to a network with a malicious na...

Protect

A debug functionality in FortiGate may allow a privileged user to execute unauthorized code or commands via specific chains of print str and cmd mem cli commands to, respectively, read and write hexadecimal values to any memory address...

FortiWeb - OS Command Injection because of missing input parameter sanitization

Multiple improper neutralization of special elements vulnerabilities CWE-89 used in a command in FortiWeb may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests...

Protect

A cleartext storage in a file or on disk CWE-313 vulnerability in FortiOS SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system...

FortiManager - Access Control missing in P&O module assignment vulnerability

An improper authentication vulnerability CWE-287 in FortiManager may allow a standard user to assign or un-assign a global policy package via a POST request to flatui/json module...

FortiSandbox - Session ID does not expire after logout

An insufficient session expiration vulnerability CWE-613 in FortiSandbox may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID via other, hypothetical attacks...

Insufficient validation logic in Fortisandbox sniffer's max file size

An improper input validation vulnerability in the sniffer interface of FortiSandbox may allow an authenticated attacker to silently halt the sniffer via specifically crafted requests...

FortiAuthenticator - Command injection in CLI

An improper neutralization of special elements used in an OS command vulnerability CWE-78 in the command line interpreter of FortiAuthenticator may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands...

Vulnerability in OpenSSL library

A security advisory was released affecting the version of OpenSSL library used in some Fortinet products:...

FortiPortal - Pervasive SQL injections

Multiple improper neutralization of special elements used in an SQL command vulnerabilities CWE-89 in FortiPortal may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests...

FortiManager & FortiAnalyzer - Improper access control on the administrators account list

An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration...

FortiManager & FortiAnalyzer - HTTP response splitting vulnerability

An improper neutralization of CRLF sequences in HTTP headers 'HTTP Response Splitting' vulnerability In FortiManager and FortiAnalyzer GUI may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of...

Uncontrolled Resource Consumption (Unauthenticated Denial of Service) in login module

An uncontrolled resource consumption denial of service vulnerability in FortiSandbox and FortiAuthenticator login modules may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters...

FortiSandbox - Multiple heap corruption vulnerabilities in command shell

Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox may allow an authenticated attacker to manipulate memory and alter its content by means of specifically crafted command line arguments...

FortiSandbox - Command injection in web interface

An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests...

FortiPortal - Authentication bypass and remote code execution as root

A use of hard-coded credentials CWE-798 vulnerability in FortiPortal may allow a remote and unauthenticated attacker to execute unauthorized commands as root by uploading and deploying malicious web application archive files using the default hard-coded Tomcat Manager username and password.Â...

FortiManager & FortiAnalyzer - Improper validation of dispatcher socket parameters

A server-side request forgery SSRF CWE-918 vulnerability in FortiManager and FortiAnalyser GUI may allow a remote and authenticated attacker to access unauthorized  files and services on the system via specifically crafted web requests...

FortiPortal - Unrestricted file upload vulnerability

An unrestricted file upload vulnerability CWE-434 in the web interface of FortiPortal may allow a low-privileged user to potentially tamper with the underlying system's files via the upload of specifically crafted files...

FortiPortal - Use of a predictable salt and digest-based algorithm for password hashing

A use of one-way hash with a predictable salt CWE-760 vulnerability in the password storing mechanism of FortiPortal may allow an attacker already in possession of the password store to decrypt the passwords by means of precomputed tables...

FortiSandbox - Predictable session IDs of JSON API

An instance of small space of random values in FortiSandbox RPC API may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs...

FortiSandbox - Multiple path traversals

Improper limitation of a pathname to a restricted directory CWE-22 vulnerabilities in FortiSandbox may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests.c...

FortiSandbox - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters...

FortiManager, FortiAnalyzer and FortiPortal - Multiple OS command injection vulnerabilities

Multiple OS command injection CWE-78 vulnerabilities in the command line interface of FortiManager, FortiAnalyzer, and FortiPortal may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters...

Protect

A buffer underwrite CWE-124 vulnerability in the firmware verification routine of FortiWeb, FortiOS, FortiSwitch, FortiADC, FortiAI, FortiManager, FortiAnalyzer, FortiProxy may allow an attacker located in the adjacent network to potentially execute arbitrary code via a specifically crafted...

FortiSandbox - SQL Injection vulnerabilities

Instances of SQL Injection vulnerabilities in FortiSandbox's checksum search and MTA-quarantine modules may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests...

FortiManager and FortiAnalyzer - Multiple reflected XSS

Multiple improper neutralization of input during web page generation CWE-79 in FortiManager and FortiAnalyzer user interface may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack XSS by injecting malicious payload in GET parameters...

FortiPortal - Path traversal in controller

A protection mechanism failure vulnerability CWE-693 resulting in improperly limiting pathname to a restricted directory in FortiPortal may allow an authenticated attacker to perform a path traversal attack via maliciously crafted GET parameters...

FortiManager- Improper access control in SD-WAN Orchestrator

An improper access control vulnerability in FortiManager may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL...

FortiSandbox - Unauthorized user able to download the device configuration file.

An improper access control vulnerability CWE-284 in FortiSandbox may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL...

FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon

A Use After Free CWE-416 vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorized code as root via sending a specifically crafted request to the fgfm port of the targeted device...

FortiMail - Memory leak in Webmail

A missing release of memory after its effective lifetime vulnerability CWE-401 in FortiMail Webmail may allow an unauthenticated remote attacker to exhaust available memory via specifically crafted login requests...

FortiWAN - OS command injection leads to privilege escalation

An OS command injection CWE-78 vulnerability in FortiWAN Command Line Interface may allow a local, authenticated and unprivileged attacker to escalate their privileges to root via executing a specially-crafted command...

FortiMail - Multiple buffer overflows

Multiple instances of incorrect calculation of buffer size in FortiMail Webmail and Administrative interface may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests...

FortiSandbox - Race condition vulnerability in command shell

A concurrent execution using shared resource with improper synchronization 'race condition' in the command shell of FortiSandbox may allow an authenticated attacker to bring the system into an unresponsive state via specifically orchestrated sequences of commands...

FortiMail - SQL Injection vulnerabilities

Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests...

Command Injection in FSA sniffer module

An instance of improper neutralization of special elements in FortiSandbox's sniffer module may allow an authenticated administrator to execute commands on the underlying system's shell via altering the content of its configuration file...

FSSO Windows DC Agent [FSSO] Insecure communication between DC agent and Collector

An improper authentication vulnerability CWE-287 in FSSO Collector may allow an unauthenticated user to bypass any firewall authentication rule and access the protected network via sending specifically crafted UDP login notification packets...

FortiMail - OS Command injection

An improper neutralization of special elementsused in an OS Command vulnerability CWE-78 in FortiMail's administrative interface may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests...

FortiMail / FortiNDR / FortiWeb - Path traversal vulnerabilities

Multiple Path traversal vulnerabilities in FortiMail, FortiNDR & FortiWeb may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests...

FortiMail - Unauthenticated encryption in IBE leads to email plaintext recovery

A missing cryptographic step in FortiMail IBE may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible...

FortiMail - Improper use of cryptographic primitives in IBE KeyStore

Missing cryptographic steps in FortiMail IBE may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext...

FortiMail - Insecure PRNG in password and token generation scheme of IBE authentication

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of FortiMail Identity Based Encryption service may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials...

FortiAP - OS command Injection through kdbg CLI command

An instance of improper neutralization of special elements used in an OS Command found in FortiAP's console may allow an authenticated attacker to execute unauthorized commands by running the kdbg CLI command with specifically crafted arguments...

FortiMail - Improper cryptographic operations in cookie encryption potentially prone to forgery

The combination of various cryptographic issues in the session management of FortiMail, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges...

FortiManager and FortiAnalyzer - Buffer overflow vulnerability through the diagnose system geoip-city command

A buffer overflow vulnerability in FortiAnalyzer and FortiManager CLI may allow an authenticated, local attacker to perform a Denial of Service attack by running the diagnose system geoip-city command with a large ip value. Fortinet is not aware of any successful exploitation of this vulnerabilit...

FortiMail - Salted Digest vulnerable to length extension attacks

A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification...

FortiClientMac - Privilege escalation by abusing a Symlink following vulnerability

A UNIX symbolic link Symlink Following CWE-61 vulnerability in FortiClient for MacOS may allow a local and unprivileged user to overwrite privileged shell scripts executed during the installation phase via escalating their privileges to root...

FortiWLC - Improper access control

An improper access control CWE-284 vulnerability in FortiWLC may allow an unauthenticated and remote attacker to access certain areas of the web management CGI functionality by just specifying the correct URL. The vulnerability applies only to limited CGI resources and might allow the...