Information disclosure through diagnose debug commands in FortiWeb

...

XSS vulnerability in FortiOS SSLVPN Portal

...

Ripple20 - Critical Vulnerabilities in low-level TCP/IP software library developed by Treck

On June 16, 2020, cybersecurity researchers from JSOF published a set of 19 vulnerabilities, dubbed Ripple20 that are impacting the TCP/IP stack developed by Treck. A remote attacker can exploit some of these vulnerabilities to take control of an affected system...

Protect

An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication FortiToken if they changed the case of their username...

Protect

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiOS, FortiManager and FortiAnalyzer may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key...

CVE-2004-1653 SSH port forwarding exposes unprotected internal services

An improper access control vulnerability in the admin SSH console of multiple products may allow an authenticated user to access internal only system services via using SSH local port forwarding. A successful attack needs an authenticated admin SSH user to set up a port bounce to product internal...

CVE-2019-9193 PostgreSQL allows OS level commands via COPY SQL function

An OS command injection vulnerability in FortiAnalyzer, FortiAuthenticator and FortiManager may allow a privileged system administrator to run OS level commands on the system via injecting commands in SQL queries...

FortiAnalyzer could potentially be used in NTP amplification attacks

An insufficient control of network message volume CWE-406 vulnerability in FortiAnalyzer may allow an unauthenticated remote attacker to perform NTP amplification attacks thereby causing reflected denial of service on arbitrary targets via sending specially crafted mode 6 queries to the...

Session ID does not expire after logout in FortiDeceptor

An insufficient session expiration vulnerability in FortiDeceptor may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks...

CVE-2015-0279: Expression Language Injection in FortiSIEM

An expression language injection vulnerability in FortiSIEM JBoss RichFaces library may allow a remote attacker to inject expression language EL expressions and execute arbitrary Java code via the do parameter...

XSS vulnerability in the ESS Profile and Radius Profile of FortiWLC

An improper neutralization of input vulnerability in FortiWLC may allow a remote authenticated attacker to perform a stored cross site scripting attack XSS via the ESS profile or the Radius Profile...

Unquoted Service Path Exploit observed in FortiSIEMWindowsAgent

An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path...

XSS vulnerability in the Description Area of the Admin Profile

An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack XSS via the Description Area...

Protect

An information exposure vulnerability in FortiOS WEB UI may allow an unauthenticated attacker to gain platform information such as version, via parsing a JavaScript file...

FortiClient Use of Hard-coded Cryptographic Key

Use of a hard-coded cryptographic key to encrypt security sensitive data in configuration in FortiClient for Windows may allow an attacker with access to the configuration or the backup file to decrypt the sensitive data via knowledge of the hard-coded key...

XSS vulnerability in the URL of the FortiGateCloud Login Page

An improper neutralization of input vulnerability in the FortiGateCloud login page may allow a remote unauthenticated attacker to perform a reflected cross site scripting attack XSS via a specifically crafted login request...

FortiClient for Windows Insecure Temporary File vulnerability

An Insecure Temporary File CWE-377 vulnerability in FortiClient for Windows may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack...

FortiAP system files overwrite via the tcpdump CLI command

...

Protect

TCP stacks that lack RFC 5961 3.2 & 4.2 support or have it disabled at application level may allow remote attackers to guess sequence numbers and cause a denial of service connection loss to persistent TCP connections by repeatedly injecting a TCP RST or SYN packet...

Authentication bypass in FortiMail and FortiVoiceEntreprise

An improper authentication vulnerability in FortiMail and FortiVoiceEntreprise may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface...

CVE-2019-9506 Encryption Key Negotiation of Bluetooth (KNOB) Vulnerability

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks aka "KNOB" that can decrypt traffic and inject arbitrary...

Improper Authorization vulnerability in FortiADC

An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system...

XSS vulnerability in the Dashboard name parameter of FortiADC

An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack XSS via the name parameter...

FortiSIEM is vulnerable to a CSRF attack

A Cross-Site Request Forgery CSRF vulnerability in the user interface of FortiSIEM could allow a remote, unauthenticated attacker to perform arbitrary actions using an authenticated user's session by persuading the victim to follow a malicious link...

XSS vulnerability in the FortiManager via the buffer parameter

An improper neutralization of input vulnerability in FortiManager GUI may allow an authenticated attacker to perform an XSS Cross Site Scripting attack via the buffer parameter...

XSS vulnerability in the Anomaly Detection Parameter Name

An improper neutralization of input vulnerability in the Anomaly Detection interface of FortiWeb may allow a remote unauthenticated attacker to perform a cross site scripting attack XSS via a parameter of the request...

Stored XSS vulnerability in traffic group interface

An improper neutralization of input vulnerability in the FortiADC may allow an attacker to execute a stored Cross Site Scripting XSS via a field in the traffic group interface...

XSS Vulnerability in Disclaimer Description of a Replacement Message in FortiWeb

An improper neutralization of input vulnerability in FortiWeb may allow a remote authenticated attacker to perform a stored cross site scripting attack XSS via the Disclaimer Description of a Replacement Message...

Unquoted Service Path exploit in FortiClient

An unquoted service path vulnerability in the FortiClient FortiTray component may allow an attacker to gain elevated privileges via the FortiClientConsole executable service path...

Authorizations Bypass in the FortiPresence portal parameters

Two authorization bypass through user-controlled key vulnerabilities in the FortiPresence administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters...

XSS vulnerability in the URL Description of URL filter

An improper neutralization of input vulnerability in the URL Description of FortiIsolator may allow a remote authenticated attacker to perform a stored cross site scripting attack XSS via a parameter of the request...

FortiClient - installer DLL Hijacking Vulnerability

Multiple unsafe search path vulnerabilities in FortiClient online installers may allow an attacker with control over the directory in which the installers reside to execute arbitrary code on the system via uploading malicious .dll files in that directory...

FortiOS SSL Deep Inspection TLS Padding Oracle Vulnerabilities

Multiple padding Oracle vulnerabilities Zombie POODLE, GOLDENDOODLE, OpenSSL 0-length in the CBC padding implementation of FortiOS when configured with SSL Deep Inspection policies and with the IPS sensor enabled may allow an attacker to decipher TLS connections going through the FortiGate by...

Protect

An improper input validation vulnerability in FortiOS admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage...

Protect

FortiGate models which do not contain and embedded TRNG may suffer from insufficient entropy "seed" in the CTR DRBG random data software generator, in their default configuration...

FortiManager Cross-Site WebSocket Hijacking (CSWSH)

An Insufficient Verification of Data Authenticity vulnerability in FortiManager may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking CSWSH attack...

FortiAP system command injection through ifconfig command

A system command injection vulnerability in the FortiAP CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted ifconfig commands...

Protect

An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal denial of service DoS via handling special crafted HTTP requests/responses in pieces slowly. Slow HTTP attacks are denial-of-service DoS attacks in which the attacker sends HT...

Protect

Makers of popular WiFi hacking tool hashcat have discovered a way to improve password brute-forcing of the WPA/WPA2 wifi network security standards. By leveraging the PMKID served by access points in WPA/WPA2 enabled WiFi networks, attackers gain knowledge of a pre-shared key hash, which can be...

Privilege escalation and DoS in FortiClient for Linux through local IPC socket

A privilege escalation vulnerability in FortiClient for Linux may allow a user with low privilege to run root system commands, overwrite system files or cause FortiClient processes to crash via injecting specially crafted client requests in the IPC socket of the FortiClient process...

FortiSIEM - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack XSS by injecting malicious JavaScript code into the description field o...

FortiSIEM default SSH key for the "tunneluser" account is the same across all appliances

A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image...

FortiSIEM Database hard-coded Credentials

A hard-coded password vulnerability in the FortiSIEM database component may allow attackers to access the device database via the use of static credentials...

XSS vulnerability in FortiAuthenticator OWA Agent

FortiAuthenticator Agent for Outlook Web Access v1.5 and below...

FortiMail admin privilege escalation through improper user profile control

Two improper access control vulnerabilities in FortiMail admin webUI may allow administrators to perform privileged functions they should not be authorized for...

Protect

A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker...

Protect

Multiple vulnerabilities, referred to as Dragonblood, exist in WiFi WPA3 standard implementation...

Protect

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient sent and...

TCP SACK panic attack- Linux Kernel Vulnerabilities- CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

CVE-2019-11477: The Linux kernel is vulnerable to an integer overflow in the 16 bit width of TCPSKBCBskb-tcpgsosegs. A remote attacker could use this to cause a denial of service...

Protect

Failure to sanitize the error or message handling parameters in the SSL VPN web portal may allow an attacker to perform a Cross-site Scripting XSS attack...