CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-39951
https://notcve.org/view.php?id=CVE-2022-39951
07 Mar 2023 — A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests. • https://fortiguard.com/psirt/FG-IR-22-254 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-22636
https://notcve.org/view.php?id=CVE-2023-22636
27 Feb 2023 — An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 through 7.0.4 may allow a local attacker to access confidential configuration files via a crafted http request. • https://fortiguard.com/psirt/FG-IR-22-460 • CWE-285: Improper Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40683
https://notcve.org/view.php?id=CVE-2022-40683
16 Feb 2023 — A double free in Fortinet FortiWeb version 7.0.0 through 7.0.3 may allows attacker to execute unauthorized code or commands via specially crafted commands • https://fortiguard.com/psirt/FG-IR-22-348 • CWE-415: Double Free •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-23784
https://notcve.org/view.php?id=CVE-2023-23784
16 Feb 2023 — A relative path traversal in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to information disclosure via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-251 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2022-42471
https://notcve.org/view.php?id=CVE-2022-42471
03 Jan 2023 — An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers. An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb versi... • https://fortiguard.com/psirt/FG-IR-22-250 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •