CVSS: 8.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21760
https://notcve.org/view.php?id=CVE-2024-21760
18 Mar 2025 — An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet. • https://fortiguard.fortinet.com/psirt/FG-IR-23-420 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6697
https://notcve.org/view.php?id=CVE-2019-6697
17 Mar 2025 — An Improper Neutralization of Input vulnerability affecting FortiGate version 6.2.0 through 6.2.1, 6.0.0 through 6.0.6 in the hostname parameter of a DHCP packet under DHCP monitor page may allow an unauthenticated attacker in the same network as the FortiGate to perform a Stored Cross Site Scripting attack (XSS) by sending a crafted DHCP packet. • https://fortiguard.com/advisory/FG-IR-19-184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-9295
https://notcve.org/view.php?id=CVE-2020-9295
17 Mar 2025 — FortiOS 6.2 running AV engine version 6.00142 and below, FortiOS 6.4 running AV engine version 6.00144 and below and FortiClient 6.2 running AV engine version 6.00137 and below may not immediately detect certain types of malformed or non-standard RAR archives, potentially containing malicious files. Based on the samples provided, FortiClient will detect the malicious files upon trying extraction by real-time scanning and FortiGate will detect the malicious archive if Virus Outbreak Prevention is enabled. • https://fortiguard.com/psirt/FG-IR-20-037 • CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-29010
https://notcve.org/view.php?id=CVE-2020-29010
17 Mar 2025 — An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS version 6.2.4 and below, version 6.0.10 and belowmay allow remote authenticated actors to read the SSL VPN events log entries of users in other VDOMs by executing "get vpn ssl monitor" from the CLI. The sensitive data includes usernames, user groups, and IP address. • https://fortiguard.fortinet.com/psirt/FG-IR-20-103 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17659
https://notcve.org/view.php?id=CVE-2019-17659
17 Mar 2025 — A use of hard-coded cryptographic key vulnerability in FortiSIEM version 5.2.6 may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user "tunneluser" by leveraging knowledge of the private key from another installation or a firmware image. • https://fortiguard.fortinet.com/psirt/FG-IR-19-296 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2021-22126
https://notcve.org/view.php?id=CVE-2021-22126
17 Mar 2025 — A use of hard-coded password vulnerability in FortiWLC version 8.5.2 and below, version 8.4.8 and below, version 8.3.3 to 8.3.2, version 8.2.7 to 8.2.6 may allow a local, authenticated attacker to connect to the managed Access Point (Meru AP and FortiAP-U) as root using the default hard-coded username and password. • https://fortiguard.fortinet.com/psirt/FG-IR-20-147 • CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2021-32584
https://notcve.org/view.php?id=CVE-2021-32584
17 Mar 2025 — An improper access control (CWE-284) vulnerability in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 and below, version 8.2.7 to 8.2.4, version 8.1.3 may allow an unauthenticated and remote attacker to access certain areas of the web management CGI functionality by just specifying the correct URL. The vulnerability applies only to limited CGI resources and might allow the unauthorized party to access configuration details. • https://fortiguard.fortinet.com/psirt/FG-IR-20-138 • CWE-284: Improper Access Control •
CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 0CVE-2024-54027
https://notcve.org/view.php?id=CVE-2024-54027
17 Mar 2025 — A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and below, version 4.2.7 and below, version 4.0.5 and below, version 3.2.4 and below, version 3.1.5 and below, version 3.0.7 to 3.0.5 may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. • https://fortiguard.fortinet.com/psirt/FG-IR-24-327 • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-26087
https://notcve.org/view.php?id=CVE-2021-26087
17 Mar 2025 — An improper neutralization of input during web page generation in FortiWLC version 8.6.0, version 8.5.3 and below, version 8.4.8 and below, version 8.3.3 web interface may allow both authenticated remote attackers and non-authenticated attackers in the same network as the appliance to perform a stored cross site scripting attack (XSS) via injecting malicious payloads in different locations. • https://fortiguard.fortinet.com/psirt/FG-IR-20-137 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.1EPSS: 0%CPEs: 5EXPL: 0CVE-2019-15706
https://notcve.org/view.php?id=CVE-2019-15706
17 Mar 2025 — An improper neutralization of input during web page generation in the SSL VPN portal of FortiProxy version 2.0.0, version 1.2.9 and below and FortiOS version 6.2.1 and below, version 6.0.8 and below, version 5.6.12 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS). • https://fortiguard.fortinet.com/psirt/FG-IR-19-223 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •