Filtered by vendor Fortinet
Subscribe
Total
717 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46713 | 1 Fortinet | 1 Fortiweb | 2023-12-19 | N/A | 5.3 MEDIUM |
| An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application. | |||||
| CVE-2023-44252 | 1 Fortinet | 1 Fortiwan | 2023-12-18 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED **An improper authentication vulnerability [CWE-287] in Fortinet FortiWAN version 5.2.0 through 5.2.1 and version 5.1.1 through 5.1.2 may allow an authenticated attacker to escalate his privileges via HTTP or HTTPs requests with crafted JWT token values. | |||||
| CVE-2023-44251 | 1 Fortinet | 1 Fortiwan | 2023-12-18 | N/A | 8.8 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED **A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability [CWE-22] in Fortinet FortiWAN version 5.2.0 through 5.2.1 and version 5.1.1. through 5.1.2 may allow an authenticated attacker to read and delete arbitrary file of the system via crafted HTTP or HTTPs requests. | |||||
| CVE-2023-47536 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-12-18 | N/A | 5.3 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiOS version 7.2.0, version 7.0.13 and below, version 6.4.14 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy via timing the bypass with a GeoIP database update. | |||||
| CVE-2023-48791 | 1 Fortinet | 1 Fortiportal | 2023-12-15 | N/A | 8.8 HIGH |
| An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field. | |||||
| CVE-2023-48782 | 1 Fortinet | 1 Fortiwlm | 2023-12-15 | N/A | 8.8 HIGH |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters | |||||
| CVE-2023-45587 | 1 Fortinet | 1 Fortisandbox | 2023-12-15 | N/A | 5.4 MEDIUM |
| An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 allows attacker to execute unauthorized code or commands via crafted HTTP requests | |||||
| CVE-2023-41844 | 1 Fortinet | 1 Fortisandbox | 2023-12-15 | N/A | 5.4 MEDIUM |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint. | |||||
| CVE-2023-41678 | 1 Fortinet | 2 Fortios, Fortipam | 2023-12-15 | N/A | 8.8 HIGH |
| A double free in Fortinet FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0.0 through 1.0.3, 1.1.0 through 1.1.1 allows attacker to execute unauthorized code or commands via specifically crafted request. | |||||
| CVE-2023-41673 | 1 Fortinet | 1 Fortiadc | 2023-12-15 | N/A | 5.4 MEDIUM |
| An improper authorization vulnerability [CWE-285] in Fortinet FortiADC version 7.4.0 and before 7.2.2 may allow a low privileged user to read or backup the full system configuration via HTTP or HTTPS requests. | |||||
| CVE-2023-40716 | 1 Fortinet | 1 Fortitester | 2023-12-15 | N/A | 7.8 HIGH |
| An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester 2.3.0 through 7.2.3 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments when running execute restore/backup . | |||||
| CVE-2023-36639 | 1 Fortinet | 3 Fortios, Fortipam, Fortiproxy | 2023-12-15 | N/A | 8.8 HIGH |
| A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, FortiOS versions 7.4.0, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiPAM versions 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted API requests. | |||||
| CVE-2023-29177 | 1 Fortinet | 2 Fortiadc, Fortiddos-f | 2023-11-21 | N/A | 6.7 MEDIUM |
| Multiple buffer copy without checking size of input ('classic buffer overflow') vulnerabilities [CWE-120] in FortiADC version 7.2.0 and before 7.1.2 & FortiDDoS-F version 6.5.0 and before 6.4.1 allows a privileged attacker to execute arbitrary code or commands via specifically crafted CLI requests. | |||||
| CVE-2023-40719 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2023-11-21 | N/A | 5.5 MEDIUM |
| A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials. | |||||
| CVE-2023-44248 | 1 Fortinet | 1 Fortiedr | 2023-11-21 | N/A | 5.5 MEDIUM |
| An improper access control vulnerability [CWE-284] in FortiEDRCollectorWindows version 5.2.0.4549 and below, 5.0.3.1007 and below, 4.0 all may allow a local attacker to prevent the collector service to start in the next system reboot by tampering with some registry keys of the service. | |||||
| CVE-2023-41840 | 1 Fortinet | 1 Forticlient | 2023-11-21 | N/A | 7.8 HIGH |
| A untrusted search path vulnerability in Fortinet FortiClientWindows 7.0.9 allows an attacker to perform a DLL Hijack attack via a malicious OpenSSL engine library in the search path. | |||||
| CVE-2023-41676 | 1 Fortinet | 1 Fortisiem | 2023-11-21 | N/A | 6.5 MEDIUM |
| An exposure of sensitive information to an unauthorized actor [CWE-200] in FortiSIEM version 7.0.0 and before 6.7.5 may allow an attacker with access to windows agent logs to obtain the windows agent password via searching through the logs. | |||||
| CVE-2022-40681 | 1 Fortinet | 1 Forticlient | 2023-11-20 | N/A | 7.1 HIGH |
| A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to cause denial of service via sending a crafted request to a specific named pipe. | |||||
| CVE-2023-25603 | 1 Fortinet | 2 Fortiadc, Fortiddos-f | 2023-11-20 | N/A | 9.1 CRITICAL |
| A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out privileged actions and retrieve sensitive information via crafted web requests. | |||||
| CVE-2023-36553 | 1 Fortinet | 1 Fortisiem | 2023-11-20 | N/A | 9.8 CRITICAL |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5.1.3 and 5.0.0 through 5.0.1 and 4.10.0 and 4.9.0 and 4.7.2 allows attacker to execute unauthorized code or commands via crafted API requests. | |||||