CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28001
https://notcve.org/view.php?id=CVE-2023-28001
An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API. • https://fortiguard.com/psirt/FG-IR-23-028 • CWE-613: Insufficient Session Expiration •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-23447
https://notcve.org/view.php?id=CVE-2022-23447
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-039 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-22302
https://notcve.org/view.php?id=CVE-2022-22302
A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem. • https://fortiguard.com/psirt/FG-IR-20-014 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-23777
https://notcve.org/view.php?id=CVE-2023-23777
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.18 and below may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters. • https://fortiguard.com/psirt/FG-IR-22-131 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2023-33299
https://notcve.org/view.php?id=CVE-2023-33299
A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port. Note FortiNAC versions 8.x will not be fixed. • https://fortiguard.com/psirt/FG-IR-23-074 • CWE-502: Deserialization of Untrusted Data •