CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-47536
https://notcve.org/view.php?id=CVE-2023-47536
13 Dec 2023 — An improper access control vulnerability [CWE-284] in FortiOS version 7.2.0, version 7.0.13 and below, version 6.4.14 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below may allow a remote unauthenticated attacker to bypass the firewall deny geolocalisation policy via timing the bypass with a GeoIP database update. Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiOS versión 7.2.0, versión 7.0.13 e inferior, versión 6.4.14 e inferior y Forti... • https://fortiguard.com/psirt/FG-IR-23-432 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 12EXPL: 0CVE-2023-41678
https://notcve.org/view.php?id=CVE-2023-41678
13 Dec 2023 — A double free in Fortinet FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0.0 through 1.0.3, 1.1.0 through 1.1.1 allows attacker to execute unauthorized code or commands via specifically crafted request. Un doble gratuito en las versiones Fortinet FortiOS 7.0.0 a 7.0.5, FortiPAM versión 1.0.0 a 1.0.3, 1.1.0 a 1.1.1 permite a un atacante ejecutar código o comandos no autorizados a través de una solicitud específicamente manipulada. • https://fortiguard.com/psirt/FG-IR-23-196 • CWE-415: Double Free •
CVSS: 9.0EPSS: 0%CPEs: 10EXPL: 0CVE-2023-36639
https://notcve.org/view.php?id=CVE-2023-36639
13 Dec 2023 — A use of externally-controlled format string in Fortinet FortiProxy versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.10, FortiOS versions 7.4.0, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiPAM versions 1.0.0 through 1.0.3 allows attacker to execute unauthorized code or commands via specially crafted API requests. Un uso de cadena de formato controlada externamente en Fortinet FortiProxy versiones 7.2.0 a 7.2.4, 7.0.0 a 7.0.10, versiones de... • https://fortiguard.com/psirt/FG-IR-23-138 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 6.7EPSS: 0%CPEs: 8EXPL: 0CVE-2023-28002
https://notcve.org/view.php?id=CVE-2023-28002
14 Nov 2023 — An improper validation of integrity check value vulnerability [CWE-354] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.12, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.2 all versions, 7.0 all versions, 2.0 all versions VMs may allow a local attacker with admin privileges to boot a malicious image on the device and bypass the filesystem integrity check in place. Una vulnerabilidad de validación inadecuada del valor de verificación de integridad [CWE-354] en FortiOS 7.2.0 a 7.2.3, ... • https://fortiguard.com/psirt/FG-IR-22-396 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 6.8EPSS: 0%CPEs: 11EXPL: 0CVE-2023-36641
https://notcve.org/view.php?id=CVE-2023-36641
14 Nov 2023 — A numeric truncation error in Fortinet FortiProxy version 7.2.0 through 7.2.4, FortiProxy version 7.0.0 through 7.0.10, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1, all versions, FortiProxy 1.0 all versions, FortiOS version 7.4.0, FortiOS version 7.2.0 through 7.2.5, FortiOS version 7.0.0 through 7.0.12, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions allows attacker to denial of service via specifically crafted HTTP requests. Un error de truncamient... • https://fortiguard.com/psirt/FG-IR-23-151 • CWE-197: Numeric Truncation Error •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-37935
https://notcve.org/view.php?id=CVE-2023-37935
10 Oct 2023 — A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 and 7.4.0 allows an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services. Un uso del método de solicitud GET con vulnerabilidad de cadenas de consulta confidenciales en Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 y 7.4.0 permite a un atacante ver contraseñas en texto plano de servicios remotos com... • https://fortiguard.com/psirt/FG-IR-23-120 • CWE-598: Use of GET Request Method With Sensitive Query Strings •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-41675
https://notcve.org/view.php?id=CVE-2023-41675
10 Oct 2023 — A use after free vulnerability [CWE-416] in FortiOS version 7.2.0 through 7.2.4 and version 7.0.0 through 7.0.10 and FortiProxy version 7.2.0 through 7.2.2 and version 7.0.0 through 7.0.8 may allow an unauthenticated remote attacker to crash the WAD process via multiple crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Una vulnerabilidad de use-after-free [CWE-416] en FortiOS versión 7.2.0 a 7.2.4 y versión 7.0.0 a 7.0.10 y FortiProxy versión ... • https://fortiguard.com/psirt/FG-IR-23-184 • CWE-416: Use After Free •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41841
https://notcve.org/view.php?id=CVE-2023-41841
10 Oct 2023 — An improper authorization vulnerability in Fortinet FortiOS 7.0.0 - 7.0.11 and 7.2.0 - 7.2.4 allows an attacker belonging to the prof-admin profile to perform elevated actions. Una vulnerabilidad de autorización inadecuada en Fortinet FortiOS 7.0.0 - 7.0.11 y 7.2.0 - 7.2.4 permite que un atacante que pertenece al perfil prof-admin realice acciones elevadas. • https://fortiguard.com/psirt/FG-IR-23-318 • CWE-285: Improper Authorization •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-40718
https://notcve.org/view.php?id=CVE-2023-40718
10 Oct 2023 — A interpretation conflict in Fortinet IPS Engine versions 7.321, 7.166 and 6.158 allows attacker to evade IPS features via crafted TCP packets. Un conflicto de interpretación en las versiones 7.321, 7.166 y 6.158 de Fortinet IPS Engine permite a un atacante evadir las funciones de IPS a través de paquetes TCP manipulados. • https://fortiguard.com/psirt/FG-IR-23-090 • CWE-436: Interpretation Conflict •
CVSS: 8.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-29183
https://notcve.org/view.php?id=CVE-2023-29183
13 Sep 2023 — An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 and FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14 GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting. Una neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-Site Scripting'... • https://fortiguard.com/psirt/FG-IR-23-106 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •