Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30306 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 8.8 HIGH |
| A stack-based buffer overflow vulnerability [CWE-121] in the CA sign functionality of FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.19 and below may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted password. | |||||
| CVE-2022-38375 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2023-02-24 | N/A | 9.8 CRITICAL |
| An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests. | |||||
| CVE-2022-26115 | 1 Fortinet | 1 Fortisandbox | 2023-02-24 | N/A | 7.5 HIGH |
| A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords. | |||||
| CVE-2022-39948 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-02-24 | N/A | 7.4 HIGH |
| An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy) | |||||
| CVE-2022-30304 | 1 Fortinet | 1 Fortianalyzer | 2023-02-24 | N/A | 6.1 MEDIUM |
| An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer. | |||||
| CVE-2022-30303 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in an os command ('OS Command Injection') [CWE-78] in FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions may allow an authenticated attacker to execute arbitrary shell code as `root` user via crafted HTTP requests. | |||||
| CVE-2022-33869 | 1 Fortinet | 1 Fortiwan | 2023-02-24 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiWAN 4.0.0 through 4.5.9 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands. | |||||
| CVE-2022-38378 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-02-24 | N/A | 6.0 MEDIUM |
| An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7.2.0 and before 7.0.7 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an attacker that has access to the admin profile section (System subsection Administrator Users) to modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands. | |||||
| CVE-2021-34064 | 2023-02-24 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-33563. Reason: This candidate is a duplicate of CVE-2021-33563. Notes: All CVE users should reference CVE-2021-33563 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2021-42392 | 3 Debian, H2database, Oracle | 3 Debian Linux, H2, Communications Cloud Native Core Policy | 2023-02-24 | 10.0 HIGH | 9.8 CRITICAL |
| The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. | |||||
| CVE-2022-40675 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2023-02-24 | N/A | 7.4 HIGH |
| Some cryptographic issues in Fortinet FortiNAC versions 9.4.0 through 9.4.1, 9.2.0 through 9.2.7, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an attacker to decrypt and forge protocol communication messages. | |||||
| CVE-2022-43954 | 1 Fortinet | 1 Fortiportal | 2023-02-24 | N/A | 6.5 MEDIUM |
| An insertion of sensitive information into log file vulnerability [CWE-532] in the FortiPortal management interface 7.0.0 through 7.0.2 may allow a remote authenticated attacker to read other devices' passwords in the audit log page. | |||||
| CVE-2022-34841 | 1 Intel | 1 Media Software Development Kit | 2023-02-24 | N/A | 7.8 HIGH |
| Improper buffer restrictions in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-27170 | 1 Intel | 1 Media Software Development Kit | 2023-02-24 | N/A | 7.8 HIGH |
| Protection mechanism failure in the Intel(R) Media SDK software before version 22.2.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-40080 | 1 Acer | 2 Aspire E5-475g, Aspire E5-475g Firmware | 2023-02-24 | N/A | 7.8 HIGH |
| Stack overflow vulnerability in Aspire E5-475G 's BIOS firmware, in the FpGui module, a second call to GetVariable services allows local attackers to execute arbitrary code in the UEFI DXE phase and gain escalated privileges. | |||||
| CVE-2023-0866 | 1 Gpac | 1 Gpac | 2023-02-24 | N/A | 7.8 HIGH |
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3.0-DEV. | |||||
| CVE-2023-25653 | 1 Cisco | 1 Node-jose | 2023-02-24 | N/A | 7.5 HIGH |
| node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Prior to version 2.2.0, when using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input. The issue has been patched in version 2.2.0. Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run. | |||||
| CVE-2023-23783 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 7.8 HIGH |
| A use of externally-controlled format string in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specially crafted command arguments. | |||||
| CVE-2023-23782 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 7.8 HIGH |
| A heap-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb version 6.3.0 through 6.3.19, FortiWeb 6.4 all versions, FortiWeb 6.2 all versions, FortiWeb 6.1 all versions allows attacker to escalation of privilege via specifically crafted arguments to existing commands. | |||||
| CVE-2022-31836 | 1 Beego | 1 Beego | 2023-02-24 | 7.5 HIGH | 9.8 CRITICAL |
| The leafInfo.match() function in Beego v2.0.3 and below uses path.join() to deal with wildcardvalues which can lead to cross directory risk. | |||||