CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-44249
https://notcve.org/view.php?id=CVE-2023-44249
10 Oct 2023 — An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. Una vulnerabilidad de omisión de autorización a través de clave controlada por el usuario [CWE-639] en Fortinet FortiManager versión 7.4.0 y anteriores a 7.2.3 y FortiAnalyzer versión 7.4.0 y anteriores a 7.2.3 permite a un ataca... • https://fortiguard.com/psirt/FG-IR-23-201 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-36638
https://notcve.org/view.php?id=CVE-2023-36638
13 Sep 2023 — An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID. Una vulnerabilidad de administración de privilegios inadec... • https://fortiguard.com/psirt/FG-IR-22-522 • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 20EXPL: 0CVE-2022-22305
https://notcve.org/view.php?id=CVE-2022-22305
01 Sep 2023 — An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers. Una vulnerabilidad de validación de certificado incorrecta [CWE-295] en FortiManager v7.0.1 y versiones inferiores, v6.4.6 y versiones inferiore... • https://fortiguard.com/psirt/FG-IR-18-292 • CWE-295: Improper Certificate Validation CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 6.7EPSS: 0%CPEs: 9EXPL: 0CVE-2021-43072
https://notcve.org/view.php?id=CVE-2021-43072
18 Jul 2023 — A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiAnalyzer version 7.0.2 and below, version 6.4.7 and below, version 6.2.9 and below, version 6.0.11 and below, version 5.6.11 and below, FortiManager version 7.0.2 and below, version 6.4.7 and below, version 6.2.9 and below, version 6.0.11 and below, version 5.6.11 and below, FortiOS version 7.0.0 through 7.0.4, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.x and FortiProxy version 7.0.0 through 7.0.3, 2.0.0 through 2.... • https://fortiguard.com/advisory/FG-IR-21-206 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-25606
https://notcve.org/view.php?id=CVE-2023-25606
11 Jul 2023 — An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4 all versions may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management in... • https://fortiguard.com/psirt/FG-IR-22-471 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-25609
https://notcve.org/view.php?id=CVE-2023-25609
13 Jun 2023 — A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to access unauthorized files and services on the system via specially crafted web requests. A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to a... • https://fortiguard.com/psirt/FG-IR-22-493 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22642
https://notcve.org/view.php?id=CVE-2023-22642
11 Apr 2023 — An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources. • https://fortiguard.com/psirt/FG-IR-22-502 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-45857
https://notcve.org/view.php?id=CVE-2022-45857
05 Jan 2023 — An incorrect user management vulnerability [CWE-286] in the FortiManager version 6.4.6 and below VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the super_admin account is deleted. Una vulnerabilidad de administración de usuarios incorrecta [CWE-286] en el componente de creación de VDOM de FortiManager versión 6.4.6 e inferiores puede permitir que un atacante acceda a FortiGate sin contraseña a través de VDOM recién creados después de elim... • https://fortiguard.com/psirt/FG-IR-22-371 • CWE-286: Incorrect User Management •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2022-38377
https://notcve.org/view.php?id=CVE-2022-38377
25 Nov 2022 — An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information. Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiManager 7.2... • https://fortiguard.com/psirt/FG-IR-20-143 • CWE-284: Improper Access Control •
CVSS: 8.0EPSS: 0%CPEs: 6EXPL: 0CVE-2022-39950
https://notcve.org/view.php?id=CVE-2022-39950
02 Nov 2022 — An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281. Existe una neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web [CWE-79] en FortiManager y F... • https://fortiguard.com/psirt/FG-IR-21-228 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •