CVE-2015-2323
https://notcve.org/view.php?id=CVE-2015-2323
FortiOS 5.0.x before 5.0.12 and 5.2.x before 5.2.4 supports anonymous, export, RC4, and possibly other weak ciphers when using TLS to connect to FortiGuard servers, which allows man-in-the-middle attackers to spoof TLS content by modifying packets. Vulnerabilidad en FortiOS 5.0.x en versiones anteriores a 5.0.12 y 5.2.x en versiones anteriores a 5.2.4 admite el anonimato, exportación, RC4 y posiblemente otros cifrados débiles al utilizar TLS para conectarse a los servidores de FortiGuard, lo que permite a atacantes man-in-the-middle suplantar contenido TLS mediante la modificación de los paquetes. • http://fortiguard.com/advisory/2015-07-24-weak-ciphers-suites-are-presented-towards-fortiguard-servers http://www.fortiguard.com/advisory/FG-IR-15-021 http://www.securitytracker.com/id/1033092 • CWE-310: Cryptographic Issues •
CVE-2015-3626
https://notcve.org/view.php?id=CVE-2015-3626
Cross-site scripting (XSS) vulnerability in the DHCP Monitor page in the Web User Interface (WebUI) in Fortinet FortiOS before 5.2.4 on FortiGate devices allows remote attackers to inject arbitrary web script or HTML via a crafted hostname. Vulnerabilidad de XSS en la página DHCP Monitor en la Web User Interface (WebUI) en Fortinet FortiOS en versiones anteriores a 5.2.4 en dispositivos FortiGate permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de host manipulado. • http://fortiguard.com/advisory/dhcp-hostname-html-injection http://www.fortiguard.com/advisory/FG-IR-15-018 http://www.fortiguard.com/advisory/dhcp-hostname-html-injection http://www.securitytracker.com/id/1033144 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0351
https://notcve.org/view.php?id=CVE-2014-0351
The FortiManager protocol service in Fortinet FortiOS before 4.3.16 and 5.x before 5.0.8 on FortiGate devices does not prevent use of anonymous ciphersuites, which makes it easier for man-in-the-middle attackers to obtain sensitive information or interfere with communications by modifying the client-server data stream. El servicio de protocolo FortiManager en Fortinet FortiOS anterior a 4.3.16 y 5.x anterior a 5.0.8 en los dispositivos FortiGate devices no previene el uso de los suites de cifrado anónimos, lo que facilita a atacantes man-in-the-middle obtener información sensible o interferir con las comunicaciones mediante la modificación del flujo de datos del cliente-servidor. • http://www.fortiguard.com/advisory/FG-IR-14-006 http://www.kb.cert.org/vuls/id/730964 http://www.securityfocus.com/bid/69754 https://exchange.xforce.ibmcloud.com/vulnerabilities/96119 • CWE-310: Cryptographic Issues •
CVE-2014-2216
https://notcve.org/view.php?id=CVE-2014-2216
The FortiManager protocol service in Fortinet FortiOS before 4.3.16 and 5.0.0 before 5.0.8 on FortiGate devices allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted request. El servicio de protocolo FortiManager en Fortinet FortiOS anterior a 4.3.16 y 5.0.0 anterior a 5.0.8 en los dispositivos FortiGate permite a atacantes remotos causar una denegación de servicio y posiblemente ejecutar código arbitrario a través de una solicitud manipulada. • http://secunia.com/advisories/60724 http://www.fortiguard.com/advisory/FG-IR-14-006 http://www.kb.cert.org/vuls/id/730964 http://www.securityfocus.com/bid/69338 http://www.securitytracker.com/id/1030753 https://exchange.xforce.ibmcloud.com/vulnerabilities/95442 •
CVE-2013-7182 – FortiOS 5.0.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-7182
Cross-site scripting (XSS) vulnerability in firewall/schedule/recurrdlg in Fortinet FortiOS 5.0.5 allows remote attackers to inject arbitrary web script or HTML via the mkey parameter. Vulnerabilidad de XSS en firewall/schedule/recurrdlg en Fortinet FortiOS 5.0.5 permite a atacantes remotos inyectar script Web o HTML arbitrario a través del parámetro mkey. FortiOS version 5.0.5 suffers from a reflective cross site scripting vulnerability. • http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0016.html http://osvdb.org/102819 http://secunia.com/advisories/56739 http://www.fortiguard.com/advisory/FG-IR-14-003 http://www.kb.cert.org/vuls/id/728638 http://www.securityfocus.com/bid/65308 http://www.securitytracker.com/id/1029730 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •