CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35279
https://notcve.org/view.php?id=CVE-2024-35279
11 Feb 2025 — A stack-based buffer overflow [CWE-121] vulnerability in Fortinet FortiOS version 7.2.4 through 7.2.8 and version 7.4.0 through 7.4.4 allows a remote unauthenticated attacker to execute arbitrary code or commands via crafted UDP packets through the CAPWAP control, provided the attacker were able to evade FortiOS stack protections and provided the fabric service is running on the exposed interface. • https://fortiguard.fortinet.com/psirt/FG-IR-24-160 • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-40591
https://notcve.org/view.php?id=CVE-2024-40591
11 Feb 2025 — An incorrect privilege assignment vulnerability [CWE-266] in Fortinet FortiOS version 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.9 and before 7.0.15 allows an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control. • https://fortiguard.fortinet.com/psirt/FG-IR-24-302 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36504
https://notcve.org/view.php?id=CVE-2024-36504
14 Jan 2025 — An out-of-bounds read vulnerability [CWE-125] in FortiOS SSLVPN web portal versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, 7.0 all verisons, and 6.4 all versions may allow an authenticated attacker to perform a denial of service on the SSLVPN web portal via a specially crafted URL. • https://fortiguard.fortinet.com/psirt/FG-IR-23-473 • CWE-125: Out-of-bounds Read •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-46666
https://notcve.org/view.php?id=CVE-2024-46666
14 Jan 2025 — An allocation of resources without limits or throttling [CWE-770] vulnerability in FortiOS versions 7.6.0, versions 7.4.4 through 7.4.0, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow a remote unauthenticated attacker to prevent access to the GUI via specially crafted requests directed at specific endpoints. • https://fortiguard.fortinet.com/psirt/FG-IR-24-250 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-54021
https://notcve.org/view.php?id=CVE-2024-54021
14 Jan 2025 — An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 allows attacker to execute unauthorized code or commands via crafted HTTP header. • https://fortiguard.fortinet.com/psirt/FG-IR-24-282 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 9.0EPSS: 0%CPEs: 8EXPL: 0CVE-2024-48886
https://notcve.org/view.php?id=CVE-2024-48886
14 Jan 2025 — A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3 allows attacker to execute unauthorized code or commands via a brute-force attack. • https://fortiguard.fortinet.com/psirt/FG-IR-24-221 • CWE-1390: Weak Authentication •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2024-48884
https://notcve.org/view.php?id=CVE-2024-48884
14 Jan 2025 — A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiOS versions 7.6.0, 7.4.0 through 7.4.4, 7.2.5 through 7.2.9, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, 7.2.0 through 7.2.11, 7.0.0 through 7.0.18, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiManager Cloud versions 7.4.1 through 7.4.3, FortiRecorder versions 7.2.0 throu... • https://fortiguard.fortinet.com/psirt/FG-IR-24-259 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46668
https://notcve.org/view.php?id=CVE-2024-46668
14 Jan 2025 — An allocation of resources without limits or throttling vulnerability [CWE-770] in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory via multiple large file uploads. • https://fortiguard.fortinet.com/psirt/FG-IR-24-219 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.0EPSS: 0%CPEs: 8EXPL: 0CVE-2023-46715
https://notcve.org/view.php?id=CVE-2023-46715
14 Jan 2025 — An origin validation error [CWE-346] vulnerability in Fortinet FortiOS IPSec VPN version 7.4.0 through 7.4.1 and version 7.2.6 and below allows an authenticated IPSec VPN user with dynamic IP addressing to send (but not receive) packets spoofing the IP of another user via crafted network packets. • https://fortiguard.com/psirt/FG-IR-23-407 • CWE-346: Origin Validation Error •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-42786
https://notcve.org/view.php?id=CVE-2023-42786
14 Jan 2025 — A null pointer dereference in FortiOS versions 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0 all versions, 6.4 all versions , 6.2 all versions and 6.0 all versions allows attacker to trigger a denial of service via a crafted http request. • https://fortiguard.fortinet.com/psirt/FG-IR-23-293 • CWE-476: NULL Pointer Dereference •