CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-36638
https://notcve.org/view.php?id=CVE-2023-36638
13 Sep 2023 — An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID. Una vulnerabilidad de administración de privilegios inadec... • https://fortiguard.com/psirt/FG-IR-22-522 • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-25606
https://notcve.org/view.php?id=CVE-2023-25606
11 Jul 2023 — An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4 all versions may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management in... • https://fortiguard.com/psirt/FG-IR-22-471 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-25609
https://notcve.org/view.php?id=CVE-2023-25609
13 Jun 2023 — A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to access unauthorized files and services on the system via specially crafted web requests. A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to a... • https://fortiguard.com/psirt/FG-IR-22-493 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22642
https://notcve.org/view.php?id=CVE-2023-22642
11 Apr 2023 — An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources. • https://fortiguard.com/psirt/FG-IR-22-502 • CWE-295: Improper Certificate Validation •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42477
https://notcve.org/view.php?id=CVE-2022-42477
11 Apr 2023 — An improper input validation vulnerability [CWE-20] in FortiAnalyzer version 7.2.1 and below, version 7.0.6 and below, 6.4 all versions may allow an authenticated attacker to disclose file system information via custom dataset SQL queries. • https://fortiguard.com/psirt/FG-IR-22-432 • CWE-20: Improper Input Validation •
CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-23776
https://notcve.org/view.php?id=CVE-2023-23776
07 Mar 2023 — An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer versions 7.2.0 through 7.2.1, 7.0.0 through 7.0.4 and 6.4.0 through 6.4.10 may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer • https://fortiguard.com/psirt/FG-IR-22-447 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25611
https://notcve.org/view.php?id=CVE-2023-25611
07 Mar 2023 — A improper neutralization of formula elements in a CSV file vulnerability in Fortinet FortiAnalyzer 6.4.0 - 6.4.9, 7.0.0 - 7.0.5, and 7.2.0 - 7.2.1 allows local attacker to execute unauthorized code or commands via inserting spreadsheet formulas in macro names. • https://fortiguard.com/psirt/FG-IR-22-488 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2022-30304
https://notcve.org/view.php?id=CVE-2022-30304
16 Feb 2023 — An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer. • https://fortiguard.com/psirt/FG-IR-22-166 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2022-38377
https://notcve.org/view.php?id=CVE-2022-38377
25 Nov 2022 — An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information. Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiManager 7.2... • https://fortiguard.com/psirt/FG-IR-20-143 • CWE-284: Improper Access Control •