CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41330
https://notcve.org/view.php?id=CVE-2022-41330
An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9, version 6.4.0 through 6.4.11 and before 6.2.12 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests. • https://fortiguard.com/psirt/FG-IR-22-363 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2022-41329
https://notcve.org/view.php?id=CVE-2022-41329
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiOS version 7.2.0 through 7.2.3 and 7.0.0 through 7.0.9 allows an unauthenticated attackers to obtain sensitive logging informations on the device via crafted HTTP GET requests. • https://fortiguard.com/psirt/FG-IR-22-364 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.2EPSS: 0%CPEs: 10EXPL: 0CVE-2022-42476
https://notcve.org/view.php?id=CVE-2022-42476
A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.11, FortiProxy version 7.2.0 through 7.2.2 and 7.0.0 through 7.0.8 allows privileged VDOM administrators to escalate their privileges to super admin of the box via crafted CLI requests. • https://fortiguard.com/psirt/FG-IR-22-401 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 0CVE-2022-45861
https://notcve.org/view.php?id=CVE-2022-45861
An access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN portal of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.11 and FortiProxy version 7.2.0 through 7.2.1, version 7.0.0 through 7.0.7 and before 2.0.11 allows a remote authenticated attacker to crash the sslvpn daemon via an HTTP GET request. • https://fortiguard.com/psirt/FG-IR-22-477 • CWE-824: Access of Uninitialized Pointer •
CVSS: 3.3EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29054
https://notcve.org/view.php?id=CVE-2022-29054
A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the DHCP and DNS keys in Fortinet FortiOS version 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.9, 6.2.x and 6.0.x may allow an attacker in possession of the encrypted key to decipher it. • https://fortiguard.com/psirt/FG-IR-22-080 • CWE-329: Generation of Predictable IV with CBC Mode •