Protect

An improper following of a certificate's chain of trust vulnerability in FortiGate SSL-VPN may allow an LDAP user to connect to VPN with any certificate that is signed by a trusted Certificate Authority...

FortiProxy - Unauthenticated SSL VPN users password modification

An improper access control vulnerability in FortiProxy SSL VPN web portal may allow an unauthenticated and remote attacker to change local SSL-VPN users' passwords via specially crafted HTTP requests...

Protect

Failure to sanitize input in the SSL VPN web portal may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting XSS attack by sending a request to the error page with malicious GET parameters...

Protect

FortiGate's and FortiADC's read-only admins are able to point an LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate...

Protect

On May 11th, 2021, Mathy Vanhoef New York University Abu Dhabi published a new paper, Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation, on a number of vulnerabilities in the base 802.11 protocol 802.11 is the standard that Wi-Fi is built on. The paper discloses three...

FortiWLC - XSS vulnerability

An improper neutralization of input during web page generation in FortiWLC web interface may allow both authenticated remote attackers and non-authenticated attackers in the same network as the appliance to perform a stored cross site scripting attack XSS via injecting malicious payloads in...

FortiWeb - OS command injection vulnerability

An OS command injection vulnerability in FortiWeb's management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page...

FortiProxy - Stack-based Buffer overflow vulnerability through the diagnose sys cpuset CLI command

A stack-based buffer overflow vulnerability in FortiProxy physical appliance CLI may allow an authenticated, remote attacker to perform a Denial of Service attack by running the diagnose sys cpuset with a large cpuset mask value. Fortinet is not aware of any successful exploitation of this...

FortiWLC - Multiple Buffer Overflow vulnerabilities

Multiple instances of stack-based buffer overflow vulnerability CWE-121 in the command line interface of FortiWLC may allow a local, authenticated attacker to crash the access point being managed by the controller and potentially execute unauthorized code via a specifically crafted CLI command...

FortiAuthenticator - Hard-coded cryptographic keys used to encrypt sensitive data

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key...

FortiWLC - Hardcoded root password

A use of hard-coded password vulnerability in FortiWLC may allow a local, authenticated attacker to connect to the managed Access Point Meru AP and FortiAP-U as root using the default hard-coded username and password...

FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests

A path traversal vulnerability in the FortiProxy SSL VPN web portal may allow a non-authenticated, remote attacker to download FortiProxy system files through specially crafted HTTP resource requests...

FortiSwitch - memory leak issue in lldpmedd daemon

A missing release of memory after effective lifetime vulnerability in FortiSwitch may allow an attacker on an adjacent network to exhaust available memory by sending specifically crafted LLDP/CDP/EDP packets to the device...

FortiNDR - OS command injection due to improper input sanitization

An improper input validation in FortiNDR v1.4.0 may allow an authenticated user to gain system shell access via a malicious payload in the "diagnose" command...

XSS vulnerability in FortiProxy SSLVPN Portal

An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy may allow a remote authenticated attacker to perform a stored cross site scripting attack XSS...

Privilege Escalation observed in FortiNAC by exploiting the SUDO privileges

A privilege escalation vulnerability in FortiNAC may allow an admin user to escalate the privileges to root by abusing the sudo privileges...

Authentication bypass in FortiWAN

A relative path traversal vulnerability CWE-23 in FortiWAN may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value...

The password configured in the FortiWeb's Web Vulnerability Scan profile is visible in cleartext.

...

Clear-text insertion of user's passwords into log files

...

FortiProxy - HTTPD is vulnerable to a Stack-based Buffer Overflow vulnerability

...

Potential sensitive information can be displayed in cleartext in FortiProxy CLI window

...

FortiProxy SSL VPN user credential plaintext storage

...

FortiProxy multiple pre-auth XSS vulnerabilities on SSL VPN

An Improper Neutralization of Input During Web Page Generation in the SSL VPN portal of FortiProxy may allow an unauthenticated, remote attacker to perform a reflected Cross Site Scripting attack XSS by injecting malicious payload in the error, message or redir parameters...

FortiProxy SSL-VPN Improper Access Control vulnerability through the Quick connection functionality

...

XSS vulnerability in the Security Profiles comments section in FortiGate Cloud

An improper neutralization of input vulnerability in FortiGate Cloud may allow a remote authenticated attacker to perform a stored cross site scripting attack XSS via the comments section of the Security Profiles...

FortiProxy SSL VPN buffer overflow when parsing javascript href content

A heap buffer overflow vulnerability in the FortiProxy SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiProxy. This happens when an authenticated user visits a specifically crafted proxied webpage and is due to a failu...

Buffer overflow vulnerability in FortiProxy SSL VPN through a crafted POST request

A buffer overflow vulnerability in the SSL VPN portal of FortiProxy may allow an unauthenticated, remote attacker to perform a Denial of Service attack by sending a specifically crafted POST request with a large msg value...

XSS vulnerability in FortiWeb

...

Session ID does not expire after logout in FortiIsolator

An insufficient session expiration vulnerability in FortiIsolator may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks...

Protect

When traffic other than HTTP/S eg: SSH traffic, etc... traverses the FortiOS on port 80/443, it is not redirected to the transparent proxy policy for processing, as it doesn't have a valid HTTP header...

FortiWeb is vulnerable to a blind SQL injection

A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement...

Protect

An exposure of sensitive information to an unauthorized actor vulnerability in FortiGate may allow a remote authenticated attacker to read the SSL VPN events log entries of users in other VDOMs by executing "get vpn ssl monitor" from the CLI. The sensitive data includes usernames, user groups, a...

FortiWeb is vulnerable to a buffer overflow

A stack-based buffer overflow vulnerability in FortiWeb may allow a remote, unauthenticated attacker to crash the httpd daemon thread by sending a request with a crafted cookie header...

FortiWeb is vulnerable to a Format string vulnerability

A format string vulnerability in FortiWeb may allow an authenticated, remote attacker to read the content of memory and retrieve sensitive data via the redir parameter...

FortiWeb - Stack-Based Buffer Overflow vulnerability

A stack-based buffer overflow CWE-121 vulnerability in FortiWeb may allow an unauthenticated attacker to overwrite the content of the stack and potentially execute arbitrary code by sending crafted HTTP requests with large request parameter values...

FortiDeceptor - OS command injection vulnerabilities

Multiple OS command injection vulnerabilities in FortiDeceptor management interface may allow an authenticated user to execute arbitrary commands on the system via specifically crafted web requests...

Kr00k vulnerability (CVE-2019-15126) in Broadcom and Cypress Wi-Fi chips

During the RSA conference of February 26th 2020, researchers Štefan Svorencík and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability is referenced as CVE-2019-15126 and could allow an...

AV Engine evasion via malformed RAR file

FortiClient and FortiOS AV engines may not immediately detect certain types of malformed or non-standard RAR archives, potentially containing malicious files...

Protect

An improper neutralization of input vulnerability in the FortiGate may allow a remote attacker to perform a stored cross site scripting attack XSS via the IPS and WAF logs dashboard...

FortiMail software-version detection vulnerability

An exposure of sensitive information to an unauthorized actor vulnerability in FortiMail may allow a remote, unauthenticated attacker to obtain potentially sensitive software-version information by reading a JavaScript file...

Protect

FortiOS versions 6.2.4 and below...

Privilege escalation vulnerability in FortiClient for Linux

...

Multiple Apache Vulnerabilties fixed in 2.4.46

...

Protect

...

Protect

FortiGate versions 6.0.11 and below. FortiGate versions 6.2.5 and below. This issue is triggered ONLY when fabric/fortiheartbeat/endpoint-compliance is enabled at the interface level...

Protect

...

Protect

...

XSS vulnerability in the UserID of Admin Users in FortiNAC

...

HTML Injection Vulnerability observed in FortiAnalyzer and FortiTester

...

XSS vulnerability in FortiManager and FortiAnalyzer

...