Filtered by vendor Fortinet
Subscribe
Total
548 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-33871 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 7.2 HIGH |
A stack-based buffer overflow vulnerability [CWE-121] in FortiWeb version 7.0.1 and earlier, 6.4 all versions, version 6.3.19 and earlier may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI `execute backup-local rename` and `execute backup-local show` operations. | |||||
CVE-2022-30306 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 8.8 HIGH |
A stack-based buffer overflow vulnerability [CWE-121] in the CA sign functionality of FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.19 and below may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted password. | |||||
CVE-2022-26115 | 1 Fortinet | 1 Fortisandbox | 2023-02-24 | N/A | 7.5 HIGH |
A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords. | |||||
CVE-2022-38375 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2023-02-24 | N/A | 9.8 CRITICAL |
An improper authorization vulnerability [CWE-285] in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests. | |||||
CVE-2022-39948 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-02-24 | N/A | 7.4 HIGH |
An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy) | |||||
CVE-2022-30304 | 1 Fortinet | 1 Fortianalyzer | 2023-02-24 | N/A | 6.1 MEDIUM |
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer. | |||||
CVE-2022-30303 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 8.8 HIGH |
An improper neutralization of special elements used in an os command ('OS Command Injection') [CWE-78] in FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions may allow an authenticated attacker to execute arbitrary shell code as `root` user via crafted HTTP requests. | |||||
CVE-2022-33869 | 1 Fortinet | 1 Fortiwan | 2023-02-24 | N/A | 8.8 HIGH |
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiWAN 4.0.0 through 4.5.9 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands. | |||||
CVE-2022-38378 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-02-24 | N/A | 6.0 MEDIUM |
An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7.2.0 and before 7.0.7 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an attacker that has access to the admin profile section (System subsection Administrator Users) to modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands. | |||||
CVE-2022-40675 | 1 Fortinet | 2 Fortinac, Fortinac-f | 2023-02-24 | N/A | 7.4 HIGH |
Some cryptographic issues in Fortinet FortiNAC versions 9.4.0 through 9.4.1, 9.2.0 through 9.2.7, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an attacker to decrypt and forge protocol communication messages. | |||||
CVE-2022-43954 | 1 Fortinet | 1 Fortiportal | 2023-02-24 | N/A | 6.5 MEDIUM |
An insertion of sensitive information into log file vulnerability [CWE-532] in the FortiPortal management interface 7.0.0 through 7.0.2 may allow a remote authenticated attacker to read other devices' passwords in the audit log page. | |||||
CVE-2023-23783 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 7.8 HIGH |
A use of externally-controlled format string in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specially crafted command arguments. | |||||
CVE-2023-23782 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 7.8 HIGH |
A heap-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb version 6.3.0 through 6.3.19, FortiWeb 6.4 all versions, FortiWeb 6.2 all versions, FortiWeb 6.1 all versions allows attacker to escalation of privilege via specifically crafted arguments to existing commands. | |||||
CVE-2022-38376 | 1 Fortinet | 1 Fortinac | 2023-02-24 | N/A | 6.1 MEDIUM |
Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerabilities [CWE-79] in Fortinet FortiNAC portal UI before 9.4.1 allows an attacker to perform an XSS attack via crafted HTTP requests. | |||||
CVE-2021-42756 | 1 Fortinet | 1 Fortiweb | 2023-02-24 | N/A | 9.8 CRITICAL |
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests. | |||||
CVE-2022-26117 | 1 Fortinet | 1 Fortinac | 2023-02-16 | N/A | 8.8 HIGH |
An empty password in configuration file vulnerability [CWE-258] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.3 and below may allow an authenticated attacker to access the MySQL databases via the CLI. | |||||
CVE-2022-45857 | 1 Fortinet | 1 Fortimanager | 2023-01-11 | N/A | 7.5 HIGH |
An incorrect user management vulnerability [CWE-286] in the FortiManager version 6.4.6 and below VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin account is deleted. | |||||
CVE-2022-35845 | 1 Fortinet | 1 Fortitester | 2023-01-09 | N/A | 8.8 HIGH |
Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiTester 7.1.0, 7.0 all versions, 4.0.0 through 4.2.0, 2.3.0 through 3.9.1 may allow an authenticated attacker to execute arbitrary commands in the underlying shell. | |||||
CVE-2022-42471 | 1 Fortinet | 1 Fortiweb | 2023-01-09 | N/A | 5.4 MEDIUM |
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers. | |||||
CVE-2022-41336 | 1 Fortinet | 1 Fortiportal | 2023-01-09 | N/A | 4.8 MEDIUM |
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter. |