CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2022-35843
https://notcve.org/view.php?id=CVE-2022-35843
06 Dec 2022 — An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component 7.2.0, 7.0.0 through 7.0.7, 6.4.0 through 6.4.9, 6.2 all versions, 6.0 all versions and FortiProxy SSH login component 7.0.0 through 7.0.5, 2.0.0 through 2.0.10, 1.2.0 all versions may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server. Una omisión de autenticación por vulnerabilidad de datos supuestamen... • https://fortiguard.com/psirt/FG-IR-22-255 • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38380
https://notcve.org/view.php?id=CVE-2022-38380
02 Nov 2022 — An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API. Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiOS versión 7.2.0 y versiones 7.0.0 a 7.0.7 puede permitir que un usuario remoto de solo lectura autenticado modifique la configuración de la interfaz a través de la API. • https://fortiguard.com/psirt/FG-IR-22-174 •
CVSS: 8.6EPSS: 0%CPEs: 24EXPL: 0CVE-2022-26122
https://notcve.org/view.php?id=CVE-2022-26122
02 Nov 2022 — An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64. Una verificación insuficiente de la vulnerabilidad de autenticidad de datos [CWE-345] en los motores FortiClient, FortiMail y FortiOS AV versión 6.2.168 e inferiores y la versión 6.4.274 e inferiores puede permitir... • https://fortiguard.com/psirt/FG-IR-22-074 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-30307
https://notcve.org/view.php?id=CVE-2022-30307
02 Nov 2022 — A key management error vulnerability [CWE-320] affecting the RSA SSH host key in FortiOS 7.2.0 and below, 7.0.6 and below, 6.4.9 and below may allow an unauthenticated attacker to perform a man in the middle attack. Una vulnerabilidad de error de administración de claves [CWE-320] que afecta la clave de host RSA SSH en FortiOS 7.2.0 y versiones anteriores, 7.0.6 y versiones anteriores, 6.4.9 y versiones anteriores puede permitir que un atacante no autenticado realice un ataque de hombre en el medio. • https://fortiguard.com/psirt/FG-IR-22-228 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-35842
https://notcve.org/view.php?id=CVE-2022-35842
02 Nov 2022 — An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiOS SSL-VPN versions 7.2.0, versions 7.0.0 through 7.0.6 and versions 6.4.0 through 6.4.9 may allow a remote unauthenticated attacker to gain information about LDAP and SAML settings configured in FortiOS. Una exposición de información sensible a una vulnerabilidad de un actor no autorizado [CWE-200] en FortiOS SSL-VPN versiones 7.2.0, versiones 7.0.0 a 7.0.6 y versiones 6.4.0 a 6.4.9 puede permitir que un atacante ... • https://fortiguard.com/psirt/FG-IR-22-223 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 97%CPEs: 6EXPL: 34CVE-2022-40684 – Fortinet Multiple Products Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-40684
18 Oct 2022 — An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Una omisión de autenticación usando una ruta o canal alternativo [CWE-288] en Fortinet FortiOS versión versiones 7.2.0 hasta 7.2.... • https://packetstorm.news/files/id/171515 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-29055
https://notcve.org/view.php?id=CVE-2022-29055
10 Oct 2022 — A access of uninitialized pointer in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.x, FortiProxy version 7.0.0 through 7.0.4, 2.0.0 through 2.0.9, 1.2.x allows a remote unauthenticated or authenticated attacker to crash the sslvpn daemon via an HTTP GET request. Un acceso de puntero no inicializado en Fortinet FortiOS versión 7.2.0, 7.0.0 hasta 7.0.5, 6.4.0 hasta 6.4.8, 6.2.0 hasta 6.2.10, 6.0.x, FortiProxy versión 7. 0.0 hasta 7.0.4, 2.0.0 hasta 2.0.9, ... • https://fortiguard.com/psirt/FG-IR-22-086 • CWE-824: Access of Uninitialized Pointer •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2021-44171
https://notcve.org/view.php?id=CVE-2021-44171
10 Oct 2022 — A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiOS version 6.0.0 through 6.0.14, FortiOS version 6.2.0 through 6.2.10, FortiOS version 6.4.0 through 6.4.8, FortiOS version 7.0.0 through 7.0.3 allows attacker to execute privileged commands on a linked FortiSwitch via diagnostic CLI commands. Una neutralización inapropiada de los elementos especiales usados en un comando os ("inyección de comando de os") en Fortinet FortiOS versión 6.0.0 hasta 6.0.... • https://fortiguard.com/psirt/FG-IR-21-242 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-43080
https://notcve.org/view.php?id=CVE-2021-43080
06 Sep 2022 — An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.2.0, version 6.4.0 through 6.4.9, version 7.0.0 through 7.0.5 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack through the URI parameter via the Threat Feed IP address section of the Security Fabric External connectors. Una vulnerabilidad de neutralización inapropiada de la entrada durante la generación de páginas web [CWE-79] en FortiOS versión 7.2.0, versiones... • https://fortiguard.com/psirt/FG-IR-21-222 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-29053
https://notcve.org/view.php?id=CVE-2022-29053
06 Sep 2022 — A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the keytab files in FortiOS version 7.2.0, 7.0.0 through 7.0.5 and below 7.0.0 may allow an attacker in possession of the encrypted file to decipher it. Una vulnerabilidad de pasos criptográficos faltantes [CWE-325] en las funciones que cifran los archivos keytab en FortiOS versiones 7.2.0, 7.0.0 hasta 7.0.5 y anteriores a 7.0.0, puede permitir a un atacante en posesión del archivo cifrado descifrarlo. • https://fortiguard.com/psirt/FG-IR-22-158 •