CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-36638
https://notcve.org/view.php?id=CVE-2023-36638
An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID. Una vulnerabilidad de administración de privilegios inadecuada [CWE-269] en FortiManager 7.2.0 a 7.2.2, 7.0.0 a 7.0.7, 6.4.0 a 6.4.11, 6.2 todas las versiones, 6.0 todas las versiones y FortiAnalyzer 7.2.0 a 7.2 .2, 7.0.0 a 7.0.7, 6.4.0 a 6.4.11, 6.2 todas las versiones, 6.0 todas las versiones La API puede permitir que un usuario administrador de API remoto y autenticado acceda a algunas configuraciones del sistema, como la configuración del servidor de correo a través de la API a través de una ID de sesión de GUI robada. • https://fortiguard.com/psirt/FG-IR-22-522 • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-25606
https://notcve.org/view.php?id=CVE-2023-25606
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4 all versions may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-471 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-25609
https://notcve.org/view.php?id=CVE-2023-25609
A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to access unauthorized files and services on the system via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-493 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22642
https://notcve.org/view.php?id=CVE-2023-22642
An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources. • https://fortiguard.com/psirt/FG-IR-22-502 • CWE-295: Improper Certificate Validation •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2022-38377
https://notcve.org/view.php?id=CVE-2022-38377
An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information. Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiManager 7.2.0, 7.0.0 a 7.0.3, 6.4.0 a 6.4.7, 6.2.0 a 6.2.9, 6.0.0 a 6.0.11 y FortiAnalyzer 7.2 .0, 7.0.0 a 7.0.3, 6.4.0 a 6.4.8, 6.2.0 a 6.2.10, 6.0.0 a 6.0.12 pueden permitir que un usuario administrador remoto y autenticado asignado a un ADOM específico acceda a otros ADOM de información, como información del dispositivo e información del panel. • https://fortiguard.com/psirt/FG-IR-20-143 • CWE-284: Improper Access Control •