CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45327
https://notcve.org/view.php?id=CVE-2024-45327
An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-048 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2023-26211
https://notcve.org/view.php?id=CVE-2023-26211
An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module. • https://fortiguard.com/psirt/FG-IR-23-088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-23775
https://notcve.org/view.php?id=CVE-2023-23775
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerabilities [CWE-89] in FortiSOAR 7.2.0 and before 7.0.3 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters. Múltiples vulnerabilidades de neutralización inadecuada de elementos especiales utilizados en comandos SQL ("Inyección SQL") [CWE-89] en FortiSOAR 7.2.0 y anteriores a 7.0.3 pueden permitir que un atacante autenticado ejecute código o comandos no autorizados a través de parámetros de cadenas específicamente manipulados. • https://fortiguard.com/psirt/FG-IR-22-448 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31493
https://notcve.org/view.php?id=CVE-2024-31493
An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3.0, version 7.2.2 and below, version 7.0.3 and below may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses. Una eliminación inadecuada de información confidencial antes de la vulnerabilidad de almacenamiento o transferencia [CWE-212] en FortiSOAR versión 7.3.0, versión 7.2.2 e inferiores, versión 7.0.3 e inferiores puede permitir que un usuario autenticado con privilegios bajos lea las contraseñas del conector en formato texto plano a través de respuestas HTTP. • https://fortiguard.fortinet.com/psirt/FG-IR-24-052 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38379
https://notcve.org/view.php?id=CVE-2022-38379
Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR. La neutralización incorrecta de la entrada durante la generación de la página web [CWE-79] en FortiSOAR 7.0.0 hasta 7.0.3 y 7.2.0 puede permitir que un atacante autenticado inyecte etiquetas HTML a través de campos de entrada de varios componentes dentro de FortiSOAR. • https://fortiguard.com/psirt/FG-IR-22-220 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •