CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-48885
https://notcve.org/view.php?id=CVE-2024-48885
16 Jan 2025 — A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiRecorder versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4, FortiWeb versions 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10, 6.4.0 through 6.4.3, FortiVoice versions 7.0.0 through 7.0.4, 6.4.0 through 6.4.9, 6.0.0 through 6.0.12 allows attacker to escalate privilege via specially crafted packets. • https://fortiguard.fortinet.com/psirt/FG-IR-24-259 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21758
https://notcve.org/view.php?id=CVE-2024-21758
14 Jan 2025 — A stack-based buffer overflow in Fortinet FortiWeb versions 7.2.0 through 7.2.7, and 7.4.0 through 7.4.1 may allow a privileged user to execute arbitrary code via specially crafted CLI commands, provided the user is able to evade FortiWeb stack protections. • https://fortiguard.fortinet.com/psirt/FG-IR-23-458 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-121: Stack-based Buffer Overflow •
CVSS: 3.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-55593
https://notcve.org/view.php?id=CVE-2024-55593
14 Jan 2025 — A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries • https://fortiguard.fortinet.com/psirt/FG-IR-24-465 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36509
https://notcve.org/view.php?id=CVE-2024-36509
12 Nov 2024 — An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page. • https://fortiguard.fortinet.com/psirt/FG-IR-24-180 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2024-23665
https://notcve.org/view.php?id=CVE-2024-23665
03 Jun 2024 — Multiple improper authorization vulnerabilities [CWE-285] in FortiWeb version 7.4.2 and below, version 7.2.7 and below, version 7.0.10 and below, version 6.4.3 and below, version 6.3.23 and below may allow an authenticated attacker to perform unauthorized ADOM operations via crafted requests. Múltiples vulnerabilidades de autorización inadecuada [CWE-285] en FortiWeb versión 7.4.2 y anteriores, versión 7.2.7 y siguientes, versión 7.0.10 y siguientes, versión 6.4.3 y siguientes, versión 6.3.23 y siguientes p... • https://fortiguard.fortinet.com/psirt/FG-IR-23-474 • CWE-285: Improper Authorization •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23107
https://notcve.org/view.php?id=CVE-2024-23107
03 Jun 2024 — An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiWeb version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, 6.3 all versions may allow an authenticated attacker to read password hashes of other administrators via CLI commands. Una exposición de información confidencial a una vulnerabilidad de actor no autorizado [CWE-200] en FortiWeb versión 7.4.0, versión 7.2.4 e inferiores, versión 7.0.8 e inferiores, 6.3 todas las versiones puede permitir que un atac... • https://fortiguard.fortinet.com/psirt/FG-IR-23-191 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46713
https://notcve.org/view.php?id=CVE-2023-46713
13 Dec 2023 — An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application. Una neutralización de salida inadecuada para los registros en Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 y 7.4.0 puede permitir que un atacante falsifique registros de tráfico a través de una URL manipulada de la aplicación web. • https://fortiguard.com/psirt/FG-IR-23-256 • CWE-117: Improper Output Neutralization for Logs •