CVSS: 5.3EPSS: 0%CPEs: 24EXPL: 0CVE-2024-26011
https://notcve.org/view.php?id=CVE-2024-26011
A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted packets. • https://fortiguard.fortinet.com/psirt/FG-IR-24-032 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47543
https://notcve.org/view.php?id=CVE-2023-47543
An authorization bypass through user-controlled key vulnerability [CWE-639] in Fortinet FortiPortal version 7.0.0 through 7.0.3 allows an authenticated attacker to interact with ressources of other organizations via HTTP or HTTPS requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-448 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21759
https://notcve.org/view.php?id=CVE-2024-21759
An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-011 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31495
https://notcve.org/view.php?id=CVE-2024-31495
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality. Una neutralización inadecuada de elementos especiales utilizados en un comando sql ("inyección sql") en las versiones 7.0.0 a 7.0.6 y 7.2.0 de Fortinet FortiPortal permite a un usuario privilegiado obtener información no autorizada a través de la funcionalidad de descarga de informes. • https://fortiguard.fortinet.com/psirt/FG-IR-24-128 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48789
https://notcve.org/view.php?id=CVE-2023-48789
A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests. Una aplicación de la seguridad del lado del servidor en Fortinet FortiPortal versión 6.0.0 a 6.0.14 permite al atacante realizar un control de acceso inadecuado a través de solicitudes HTTP manipuladas. • https://fortiguard.fortinet.com/psirt/FG-IR-23-406 • CWE-602: Client-Side Enforcement of Server-Side Security •