Page 6 of 31 results (0.008 seconds)

CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0

An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests. Una vulnerabilidad de omisión de autorización a través de clave controlada por el usuario [CWE-639] en Fortinet FortiManager versión 7.4.0 y anteriores a 7.2.3 y FortiAnalyzer versión 7.4.0 y anteriores a 7.2.3 permite a un atacante remoto con privilegios bajos leer información confidencial a través de solicitudes HTTP manipuladas. • https://fortiguard.com/psirt/FG-IR-23-201 https://github.com/orangecertcc/security-research/security/advisories/GHSA-x8rp-jfwc-gqqj • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID. Una vulnerabilidad de administración de privilegios inadecuada [CWE-269] en FortiManager 7.2.0 a 7.2.2, 7.0.0 a 7.0.7, 6.4.0 a 6.4.11, 6.2 todas las versiones, 6.0 todas las versiones y FortiAnalyzer 7.2.0 a 7.2 .2, 7.0.0 a 7.0.7, 6.4.0 a 6.4.11, 6.2 todas las versiones, 6.0 todas las versiones La API puede permitir que un usuario administrador de API remoto y autenticado acceda a algunas configuraciones del sistema, como la configuración del servidor de correo a través de la API a través de una ID de sesión de GUI robada. • https://fortiguard.com/psirt/FG-IR-22-522 • CWE-284: Improper Access Control •

CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4  all versions may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-471 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0

A server-side request forgery (SSRF) vulnerability [CWE-918] in FortiManager and FortiAnalyzer GUI 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.8 through 6.4.11 may allow a remote and authenticated attacker to access unauthorized files and services on the system via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-493 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0

An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager 7.2.0 through 7.2.1, 7.0.0 through 7.0.5, 6.4.8 through 6.4.10 may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources. • https://fortiguard.com/psirt/FG-IR-22-502 • CWE-295: Improper Certificate Validation •