CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41017
https://notcve.org/view.php?id=CVE-2021-41017
08 Dec 2021 — Multiple heap-based buffer overflow vulnerabilities in some web API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow a remote authenticated attacker to execute arbitrary code or commands via specifically crafted HTTP requests. Múltiples vulnerabilidades de desbordamiento de búfer en la región heap de la memoria en algunos controladores de la API web de FortiWeb versiones 6.4.1, 6.4.0 y 6.3.0 hasta 6.3.15, pueden permitir a un atacante remoto autenticado ejecutar código o comandos arb... • https://fortiguard.com/advisory/FG-IR-21-160 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2021-41025
https://notcve.org/view.php?id=CVE-2021-41025
08 Dec 2021 — Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer. Múltiples vulnerabilidades en el mecanismo d... • https://fortiguard.com/advisory/FG-IR-21-130 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2021-36195
https://notcve.org/view.php?id=CVE-2021-36195
08 Dec 2021 — Multiple command injection vulnerabilities in the command line interpreter of FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, and 6.1.0 through 6.1.2 may allow an authenticated attacker to execute arbitrary commands on the underlying system shell via specially crafted command arguments. Múltiples vulnerabilidades de inyección de comandos en el intérprete de línea de comandos de FortiWeb versiones 6.4.1, 6.4.0, 6.3.0 hasta 6.3.15, 6.2.0 hasta 6.2.6, y 6.1.0 hasta 6.1.2, pueden perm... • https://fortiguard.com/advisory/FG-IR-21-157 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41013
https://notcve.org/view.php?id=CVE-2021-41013
08 Dec 2021 — An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs. Una vulnerabilidad de control de acceso inapropiado [CWE-284] en FortiWeb versiones 6.4.1 y anteriores y 6.3.15 y anteriores, en la sección Report Browse de Log & Report puede permitir a un usuario no autorizado y no autenticado acceder a los informes de Log a ... • https://fortiguard.com/advisory/FG-IR-21-138 • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-36188
https://notcve.org/view.php?id=CVE-2021-36188
08 Dec 2021 — A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted GET parameters in requests to login and error handlers Una neutralización inapropiada de la entrada durante la generación de la página web ("Cross-site Scripting") en Fortinet FortiWeb versión 6.4.1 y anteriores, 6.3.15 y anteriores, permite a un atacante ejecutar código o comandos no autoriz... • https://fortiguard.com/advisory/FG-IR-21-118 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43063
https://notcve.org/view.php?id=CVE-2021-43063
08 Dec 2021 — A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage. Una neutralización inapropiada de la entrada durante la generación de la página web ("Cross-site Scripting") en Fortinet FortiWeb versiones 6.4.1 y 6.4.0, versiones 6.3.15 y anteriores, versiones 6.2.6 y anteriores permi... • https://fortiguard.com/advisory/FG-IR-21-122 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-36190
https://notcve.org/view.php?id=CVE-2021-36190
08 Dec 2021 — A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests. Un proxy o intermediario no intencionado ("confused deputy") en Fortinet FortiWeb versión 6.4.1 y anteriores, 6.3.15 y anteriores, permite a un atacante no autenticado acceder a hosts protegidos por medio de peticiones HTTP diseñadas • https://fortiguard.com/advisory/FG-IR-21-123 •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2021-41014
https://notcve.org/view.php?id=CVE-2021-41014
08 Dec 2021 — A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to make the httpsd daemon unresponsive via huge HTTP packets Un consumo no controlado de recursos en Fortinet FortiWeb versiones 6.4.1 y anteriores, 6.3.15 y anteriores, permite a un atacante no autenticado hacer que el demonio httpsd no responda por medio de enormes paquetes HTTP • https://fortiguard.com/advisory/FG-IR-21-131 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0CVE-2021-36191
https://notcve.org/view.php?id=CVE-2021-36191
08 Dec 2021 — A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers Una redirección de url a un sitio que no es de confianza ("open redirect") en Fortinet FortiWeb versión 6.4.1 y anteriores, 6.3.15 y anteriores, permite a un atacante usar el dispositivo como proxy por medio de parámetros GET diseñados en peticiones a manejadores de errores • https://fortiguard.com/advisory/FG-IR-21-133 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41027
https://notcve.org/view.php?id=CVE-2021-41027
08 Dec 2021 — A stack-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, allows an authenticated attacker to execute unauthorized code or commands via crafted certificates loaded into the device. Un desbordamiento del búfer en la región stack de la memoria en Fortinet FortiWeb versiones 6.4.1 y 6.4.0, permite a un atacante autenticado ejecutar código o comandos no autorizados por medio de certificados diseñados cargados en el dispositivo • https://fortiguard.com/advisory/FG-IR-21-134 • CWE-787: Out-of-bounds Write •