CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-23666
https://notcve.org/view.php?id=CVE-2024-23666
A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14 allows attacker to improper access control via crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-396 • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36513
https://notcve.org/view.php?id=CVE-2024-36513
A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate their privileges via lua auto patch scripts. • https://fortiguard.fortinet.com/psirt/FG-IR-24-144 • CWE-270: Privilege Context Switching Error •
CVSS: 9.8EPSS: 5%CPEs: 6EXPL: 6CVE-2024-47575 – Fortinet FortiManager Missing Authentication Vulnerability
https://notcve.org/view.php?id=CVE-2024-47575
A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests. A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.12, FortiManager Cloud 6.4.1 through 6.4.7 allows attacker to execute arbitrary code or commands via specially crafted requests. Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. • https://github.com/hazesecurity/CVE-2024-47575 https://github.com/HazeLook/CVE-2024-47575 https://github.com/maybelookis/CVE-2024-47575 https://github.com/zgimszhd61/CVE-2024-47575-POC https://github.com/krmxd/CVE-2024-47575 https://github.com/groshi/CVE-2024-47575-POC https://fortiguard.fortinet.com/psirt/FG-IR-24-423 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45330
https://notcve.org/view.php?id=CVE-2024-45330
A use of externally-controlled format string in Fortinet FortiAnalyzer versions 7.4.0 through 7.4.3, 7.2.2 through 7.2.5 allows attacker to escalate its privileges via specially crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-196 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-33506
https://notcve.org/view.php?id=CVE-2024-33506
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager 7.4.2 and below, 7.2.5 and below, 7.0.12 and below allows a remote authenticated attacker assigned to an Administrative Domain (ADOM) to access device summary of unauthorized ADOMs via crafted HTTP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-472 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •