CVSS: 8.0EPSS: 0%CPEs: 6EXPL: 0CVE-2022-39950
https://notcve.org/view.php?id=CVE-2022-39950
02 Nov 2022 — An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281. Existe una neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web [CWE-79] en FortiManager y F... • https://fortiguard.com/psirt/FG-IR-21-228 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2022-26121
https://notcve.org/view.php?id=CVE-2022-26121
10 Oct 2022 — An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path. Una vulnerabilidad de exposición de recursos a una esfera incorrecta [CWE-668] en FortiAnalyzer y FortiManager GUI versiones 7.0.0 hasta 7.0.3, 6.4.0 hasta 6.4.8, 6.2.0 hasta 6.2.9... • https://fortiguard.com/psirt/FG-IR-22-026 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.7EPSS: 0%CPEs: 8EXPL: 0CVE-2022-26118
https://notcve.org/view.php?id=CVE-2022-26118
18 Jul 2022 — A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0 through 7.0.3 may allow a local and authenticated attacker with a restricted shell to escalate their privileges to root due to incorrect permissions of some folders and executable files on the system. Una vulnerabilidad de encadenamiento de privilegios [CWE-268] en FortiManager y FortiAnalyzer versiones 6.0.x, 6.2.x, 6.4.0 a 6.4.7, 7.0.0 a 7.0.3, puede permitir a un atacante local y autent... • https://fortiguard.com/psirt/FG-IR-21-056 • CWE-269: Improper Privilege Management •
CVSS: 8.3EPSS: 0%CPEs: 8EXPL: 0CVE-2022-27483
https://notcve.org/view.php?id=CVE-2022-27483
18 Jul 2022 — A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager version 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.x and 6.0.x and FortiAnalyzer version 7.0.0 through 7.0.3, version 6.4.0 through 6.4.7, 6.2.x and 6.0.x allows attacker to execute arbitrary shell code as `root` user via `diagnose system` CLI commands. Una neutralización inapropiada de elementos especiales usados en un comando os ("inyección de comando os") en Fortinet FortiManager versi... • https://fortiguard.com/psirt/FG-IR-22-049 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 1%CPEs: 9EXPL: 1CVE-2021-26104
https://notcve.org/view.php?id=CVE-2021-26104
06 Apr 2022 — Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters. Múltiples vulnerabilidades ... • https://fortiguard.com/advisory/FG-IR-21-037 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22303
https://notcve.org/view.php?id=CVE-2022-22303
02 Mar 2022 — An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file. Una exposición de información confidencial del sistema a una vulnerabilidad de esfera de control no autorizada [CWE-497] en FortiManager versiones anteriores a 7.0.2, 6.4.7 y 6.2.9 puede permitir a un usuario autenticado con po... • https://fortiguard.com/psirt/FG-IR-21-165 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2022-22300
https://notcve.org/view.php?id=CVE-2022-22300
01 Mar 2022 — A improper handling of insufficient permissions or privileges in Fortinet FortiAnalyzer version 5.6.0 through 5.6.11, FortiAnalyzer version 6.0.0 through 6.0.11, FortiAnalyzer version 6.2.0 through 6.2.9, FortiAnalyzer version 6.4.0 through 6.4.7, FortiAnalyzer version 7.0.0 through 7 .0.2, FortiManager version 5.6.0 through 5.6.11, FortiManager version 6.0.0 through 6.0.11, FortiManager version 6.2.0 through 6.2.9, FortiManager version 6.4.0 through 6.4.7, FortiManager version 7.0.0 through 7.0.2 allows at... • https://fortiguard.com/psirt/FG-IR-21-255 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.7EPSS: 0%CPEs: 30EXPL: 0CVE-2021-42757
https://notcve.org/view.php?id=CVE-2021-42757
08 Dec 2021 — A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments. Un desbordamiento de búfer [CWE-121] en la biblioteca del cliente TFTP de FortiOS versiones anteriores a 6.4.7 y FortiOS versiones 7.0.0 hasta 7.0.2, puede permitir a un atacante local autenticado lograr una ejecución de código arbitrario por medio de argumentos de línea de c... • https://fortiguard.com/advisory/FG-IR-21-173 • CWE-787: Out-of-bounds Write •
CVSS: 5.2EPSS: 0%CPEs: 5EXPL: 0CVE-2021-36192
https://notcve.org/view.php?id=CVE-2021-36192
03 Nov 2021 — An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS. Una vulnerabilidad de exposición de información confidencial a un actor no autorizado [CWE-200] en FortiManager versiones 7.0.1 y anteriores, 6.4.6 y anteriores, 6.2.x, 6.0.x, 5.6.0, puede permitir a un usuario de FortiGate ver scripts de otros ADOMS • https://fortiguard.com/advisory/FG-IR-21-103 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-26107
https://notcve.org/view.php?id=CVE-2021-26107
02 Nov 2021 — An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager. Una vulnerabilidad de control de acceso inapropiado [CWE-284] en FortiManager versiones 6.4.4 y 6.4.5, puede permitir a un atacante autenticado con un perfil de usuario restringido modificar el estado del túnel VPN de otros VDOMs usando VPN Manager • https://fortiguard.com/advisory/FG-IR-21-043 •