Fortiauthenticator

fortiauthenticator

Vendor: Fortinet • 23 CVEs

CVEs (23)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-44277 1Fortinet 1Fortiauthenticator May 28, 2026 May 12, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unautho...Show more A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests.Show less
CVE-2026-21743 1Fortinet 1Fortiauthenticator Feb 12, 2026 Feb 10, 2026 N/A· v4 7.2 HIGH· v3 N/A· v2 A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-onl...Show more A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint.Show less
CVE-2025-59923 1Fortinet 1Fortiauthenticator Dec 11, 2025 Dec 9, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an auth...Show more An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests.Show less
CVE-2025-57823 1Fortinet 1Fortiauthenticator Dec 9, 2025 Dec 9, 2025 N/A· v4 2.7 LOW· v3 N/A· v2 A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may all...Show more A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpointsShow less
CVE-2022-23439 1Fortinet 14Fortiadc FortiauthenticatorFortiddos+11 more Jan 14, 2026 Jan 22, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A externally controlled reference to a resource in another sphere vulnerability in Fortinet allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver
CVE-2024-23664 1Fortinet 1Fortiauthenticator Jan 21, 2025 Jun 3, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A URL redirection to untrusted site ('open redirect') in Fortinet FortiAuthenticator version 6.6.0, version 6.5.3 and below, version 6.4.9 and below may allow an attacker to to redirect users to an arbitrary website via...Show more A URL redirection to untrusted site ('open redirect') in Fortinet FortiAuthenticator version 6.6.0, version 6.5.3 and below, version 6.4.9 and below may allow an attacker to to redirect users to an arbitrary website via a crafted URL.Show less
CVE-2022-22302 1Fortinet 2Fortiauthenticator Fortios Nov 21, 2024 Jul 11, 2023 N/A· v4 3.3 LOW· v3 N/A· v2 A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6...Show more A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.Show less
CVE-2022-35850 1Fortinet 1Fortiauthenticator Nov 21, 2024 Apr 11, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthen...Show more An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.Show less
CVE-2023-26208 1Fortinet 1Fortiauthenticator Nov 21, 2024 Mar 9, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sendin...Show more A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.Show less
CVE-2021-26116 1Fortinet 1Fortiauthenticator Nov 21, 2024 Apr 6, 2022 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands v...Show more An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.Show less
CVE-2021-36177 1Fortinet 1Fortiauthenticator Nov 21, 2024 Feb 2, 2022 N/A· v4 4.3 MEDIUM· v3 3.3 LOW· v2 An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated di...Show more An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.Show less
CVE-2021-43068 1Fortinet 1Fortiauthenticator Nov 21, 2024 Dec 9, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal.
CVE-2021-43067 1Fortinet 1Fortiauthenticator Nov 21, 2024 Dec 8, 2021 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A exposure of sensitive information to an unauthorized actor in Fortinet FortiAuthenticator version 6.4.0, version 6.3.2 and below, version 6.2.1 and below, version 6.1.2 and below, version 6.0.7 to 6.0.1 allows attacker...Show more A exposure of sensitive information to an unauthorized actor in Fortinet FortiAuthenticator version 6.4.0, version 6.3.2 and below, version 6.2.1 and below, version 6.1.2 and below, version 6.0.7 to 6.0.1 allows attacker to duplicate a target LDAP user 2 factors authentication token via crafted HTTP requests.Show less
CVE-2021-22124 1Fortinet 2Fortiauthenticator Fortisandbox Nov 21, 2024 Aug 4, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow...Show more An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters.Show less
CVE-2021-24005 1Fortinet 1Fortiauthenticator Nov 21, 2024 Jul 6, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sens...Show more Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key.Show less
CVE-2019-16154 1Fortinet 1Fortiauthenticator Nov 21, 2024 Jan 7, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page.
CVE-2018-9186 1Fortinet 1Fortiauthenticator Nov 21, 2024 May 31, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts...Show more A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.Show less
CVE-2015-1459 1Fortinet 1Fortiauthenticator May 6, 2026 Feb 3, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the operation parameter to cert/scep/.
CVE-2015-1458 1Fortinet 1Fortiauthenticator May 6, 2026 Feb 3, 2015 N/A· v4 N/A· v3 6.9 MEDIUM· v2 Fortinet FortiAuthenticator 3.0.0 allows local users to bypass intended restrictions and gain privileges by creating /tmp/privexec/dbgcore_enable_shell_access and executing the "shell" command.
CVE-2015-1457 1Fortinet 1Fortiauthenticator May 6, 2026 Feb 3, 2015 N/A· v4 N/A· v3 4.9 MEDIUM· v2 Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command.

12 Next