Fortinet

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-24021 1Fortinet 1Fortianalyzer Nov 21, 2024 Oct 6, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scriptin...Show more An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks.Show less
CVE-2021-24019 1Fortinet 1Forticlient Endpoint Management Server Nov 21, 2024 Oct 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should...Show more An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)Show less
CVE-2020-15941 1Fortinet 1Forticlient Endpoint Management Server Nov 21, 2024 Oct 6, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the ser...Show more A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.Show less
CVE-2021-24017 1Fortinet 1Fortimanager Nov 21, 2024 Sep 30, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.
CVE-2021-24016 1Fortinet 1Fortimanager Nov 21, 2024 Sep 30, 2021 N/A· v4 6.3 MEDIUM· v3 9.3 HIGH· v2 An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exp...Show more An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.Show less
CVE-2021-36182 1Fortinet 1Fortiweb Nov 21, 2024 Sep 8, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A Improper neutralization of special elements used in a command ('Command Injection') in Fortinet FortiWeb version 6.3.13 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests
CVE-2021-36179 1Fortinet 1Fortiweb Nov 21, 2024 Sep 8, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A stack-based buffer overflow in Fortinet FortiWeb version 6.3.14 and below, 6.2.4 and below allows attacker to execute unauthorized code or commands via crafted parameters in CLI command execution
CVE-2020-29012 1Fortinet 1Fortisandbox Nov 21, 2024 Sep 8, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device...Show more An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)Show less
CVE-2021-24006 1Fortinet 1Fortimanager Nov 21, 2024 Sep 6, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.
CVE-2020-15939 1Fortinet 1Fortisandbox Nov 21, 2024 Sep 6, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery...Show more An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.Show less
CVE-2021-32602 1Fortinet 1Fortiportal Nov 21, 2024 Aug 19, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and bel...Show more An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value.Show less
CVE-2021-32588 1Fortinet 1Fortiportal Nov 21, 2024 Aug 18, 2021 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below, versions 5.1.x and 5.0.x may allow a remote and unauthenticated attacker to execute unaut...Show more A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal versions 5.2.5 and below, 5.3.5 and below, 6.0.4 and below, versions 5.1.x and 5.0.x may allow a remote and unauthenticated attacker to execute unauthorized commands as root by uploading and deploying malicious web application archive files using the default hard-coded Tomcat Manager username and password.Show less
CVE-2021-32597 1Fortinet 2Fortianalyzer Fortimanager Nov 21, 2024 Aug 6, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker t...Show more Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.Show less
CVE-2021-32587 1Fortinet 2Fortianalyzer Fortimanager Nov 21, 2024 Aug 6, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with rest...Show more An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration.Show less
CVE-2021-32603 1Fortinet 2Fortianalyzer Fortimanager Nov 21, 2024 Aug 5, 2021 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker...Show more A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafted web requests.Show less
CVE-2021-32598 1Fortinet 2Fortianalyzer Fortimanager Nov 21, 2024 Aug 5, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may...Show more An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response.Show less
CVE-2021-24014 1Fortinet 1Fortisandbox Nov 21, 2024 Aug 4, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted reque...Show more Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters.Show less
CVE-2021-22124 1Fortinet 2Fortiauthenticator Fortisandbox Nov 21, 2024 Aug 4, 2021 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow...Show more An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters.Show less
CVE-2021-26096 1Fortinet 1Fortisandbox Nov 21, 2024 Aug 4, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenticated attacker to manipulate memory and alter its content by means of specifically crafted command l...Show more Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenticated attacker to manipulate memory and alter its content by means of specifically crafted command line arguments.Show less
CVE-2021-32596 1Fortinet 1Fortiportal Nov 21, 2024 Aug 4, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A use of one-way hash with a predictable salt vulnerability in the password storing mechanism of FortiPortal 6.0.0 through 6.04 may allow an attacker already in possession of the password store to decrypt the passwords b...Show more A use of one-way hash with a predictable salt vulnerability in the password storing mechanism of FortiPortal 6.0.0 through 6.04 may allow an attacker already in possession of the password store to decrypt the passwords by means of precomputed tables.Show less

Previous 1...404142...56 Next