CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2023-22638
https://notcve.org/view.php?id=CVE-2023-22638
Several improper neutralization of inputs during web page generation vulnerability [CWE-79] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.11 and below, 8.7.6 and below, 8.6.5 and below, 8.5.4 and below, 8.3.7 and below may allow an authenticated attacker to perform several XSS attacks via crafted HTTP GET requests. • https://fortiguard.com/psirt/FG-IR-22-260 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-40677
https://notcve.org/view.php?id=CVE-2022-40677
A improper neutralization of argument delimiters in a command ('argument injection') in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 allows attacker to execute unauthorized code or commands via specially crafted input parameters. • https://fortiguard.com/psirt/FG-IR-22-280 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 95%CPEs: 4EXPL: 3CVE-2022-39952 – Fortinet FortiNAC keyUpload.jsp Arbitrary File Write
https://notcve.org/view.php?id=CVE-2022-39952
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request. • https://github.com/horizon3ai/CVE-2022-39952 https://github.com/dkstar11q/CVE-2022-39952-better https://github.com/Chocapikk/CVE-2022-39952 https://fortiguard.com/psirt/FG-IR-22-300 https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs https://www.fortiguard.com/psirt/FG-IR-22-300 https://attackerkb.com/topics/9BvxYuiHYJ/cve-2022-39952 • CWE-73: External Control of File Name or Path CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2022-40675
https://notcve.org/view.php?id=CVE-2022-40675
Some cryptographic issues in Fortinet FortiNAC versions 9.4.0 through 9.4.1, 9.2.0 through 9.2.7, 9.1.0 through 9.1.8, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an attacker to decrypt and forge protocol communication messages. • https://fortiguard.com/psirt/FG-IR-22-312 • CWE-310: Cryptographic Issues •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-39954
https://notcve.org/view.php?id=CVE-2022-39954
An improper restriction of xml external entity reference in Fortinet FortiNAC version 9.4.0 through 9.4.1, FortiNAC version 9.2.0 through 9.2.7, FortiNAC version 9.1.0 through 9.1.8, FortiNAC version 8.8.0 through 8.8.11, FortiNAC version 8.7.0 through 8.7.6, FortiNAC version 8.6.0 through 8.6.5, FortiNAC version 8.5.0 through 8.5.4, FortiNAC version 8.3.7 allows attacker to read arbitrary files or trigger a denial of service via specifically crafted XML documents. • https://fortiguard.com/psirt/FG-IR-22-304 • CWE-611: Improper Restriction of XML External Entity Reference •