Filtered by vendor Fortinet
Subscribe
Total
548 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-4066 | 1 Fortinet | 1 Fortiweb | 2016-11-28 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in Fortinet FortiWeb before 5.5.3 allows remote attackers to hijack the authentication of administrators for requests that change the password via unspecified vectors. | |||||
CVE-2005-3400 | 1 Fortinet | 1 Fortinet | 2016-10-17 | 5.0 MEDIUM | N/A |
Multiple interpretation error in Fortinet 2.48.0.0 allows remote attackers to bypass virus scanning via a file such as BAT, HTML, and EML with an "MZ" magic byte sequence which is normally associated with EXE, which causes the file to be treated as a safe type that could still be executed as a dangerous file type by applications on the end system, as demonstrated by a "triple headed" program that contains EXE, EML, and HTML content, aka the "magic byte bug." | |||||
CVE-2005-3221 | 1 Fortinet | 1 Fortinet Antivirus | 2016-10-17 | 5.1 MEDIUM | N/A |
Multiple interpretation error in unspecified versions of Fortinet Antivirus allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper. | |||||
CVE-2005-1837 | 1 Fortinet | 1 Fortinet Firewall | 2016-10-17 | 7.5 HIGH | N/A |
Fortinet firewall running FortiOS 2.x contains a hardcoded username with the password set to the serial number, which allows local users with console access to gain privileges. | |||||
CVE-2016-4967 | 1 Fortinet | 1 Fortiwan | 2016-09-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to obtain sensitive information from (1) a backup of the device configuration via script/cfg_show.php or (2) PCAP files via script/system/tcpdump.php. | |||||
CVE-2016-4968 | 1 Fortinet | 1 Fortiwan | 2016-09-21 | 4.0 MEDIUM | 6.5 MEDIUM |
The linkreport/tmp/admin_global page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to discover administrator cookies via a GET request. | |||||
CVE-2016-4969 | 1 Fortinet | 1 Fortiwan | 2016-09-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the IP parameter to script/statistics/getconn.php. | |||||
CVE-2016-4966 | 1 Fortinet | 1 Fortiwan | 2016-09-21 | 4.0 MEDIUM | 6.5 MEDIUM |
The diagnosis_control.php page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to download PCAP files via vectors related to the UserName GET parameter. | |||||
CVE-2016-4965 | 1 Fortinet | 1 Fortiwan | 2016-09-21 | 9.0 HIGH | 8.8 HIGH |
Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users with access to the nslookup functionality to execute arbitrary commands with root privileges via the graph parameter to diagnosis_control.php. | |||||
CVE-2016-1909 | 1 Fortinet | 1 Fortios | 2016-07-15 | 10.0 HIGH | 9.8 CRITICAL |
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8 have a hardcoded passphrase for the Fortimanager_Access account, which allows remote attackers to obtain administrative access via an SSH session. | |||||
CVE-2016-5092 | 1 Fortinet | 1 Fortiweb | 2016-07-14 | 4.0 MEDIUM | 4.9 MEDIUM |
Directory traversal vulnerability in Fortinet FortiWeb before 5.5.3 allows remote authenticated administrators with read and write privileges to read arbitrary files by leveraging the autolearn feature. | |||||
CVE-2016-3978 | 1 Fortinet | 1 Fortios | 2016-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login." | |||||
CVE-2015-1453 | 1 Fortinet | 1 Forticlient | 2015-11-30 | 5.0 MEDIUM | N/A |
The qm class in Fortinet FortiClient 5.2.3.091 for Android uses a hardcoded encryption key of FoRtInEt!AnDrOiD, which makes it easier for attackers to obtain passwords and possibly other sensitive data by leveraging the key to decrypt data in the Shared Preferences. | |||||
CVE-2014-8617 | 1 Fortinet | 1 Fortimail | 2015-11-19 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9, 5.0.x before 5.0.8, 5.1.x before 5.1.5, and 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via the release parameter to module/releasecontrol. | |||||
CVE-2013-4669 | 5 Apple, Fortinet, Google and 2 more | 7 Mac Os X, Forticlient, Forticlient Lite and 4 more | 2015-11-04 | 5.4 MEDIUM | N/A |
FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258 on Linux proceed with an SSL session after determining that the server's X.509 certificate is invalid, which allows man-in-the-middle attackers to obtain sensitive information by leveraging a password transmission that occurs before the user warning about the certificate problem. | |||||
CVE-2015-8038 | 1 Fortinet | 1 Fortimanager Firmware | 2015-11-03 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Graphical User Interface (GUI) in Fortinet FortiManager before 5.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) sharedjobmanager or (2) SOMServiceObjDialog. | |||||
CVE-2015-8037 | 1 Fortinet | 1 Fortimanager Firmware | 2015-11-03 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Graphical User Interface (GUI) in Fortinet FortiManager before 5.2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) SOMVpnSSLPortalDialog or (2) FGDMngUpdHistory. | |||||
CVE-2014-3115 | 1 Fortinet | 1 Fortiweb | 2015-07-31 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vectors. | |||||
CVE-2013-7181 | 1 Fortinet | 1 Fortiweb | 2015-07-27 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in user/ldap_user/add in Fortinet FortiOS 5.0.3 allows remote attackers to inject arbitrary web script or HTML via the filter parameter. | |||||
CVE-2015-1571 | 1 Fortinet | 1 Fortios | 2015-07-22 | 4.3 MEDIUM | N/A |
** DISPUTED ** The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch 7 build 4457 uses the same certificate and private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the Fortinet_Factory certificate and private key. NOTE: FG-IR-15-002 says "The Fortinet_Factory certificate is unique to each device ... An attacker cannot therefore stage a MitM attack." |