CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48786
https://notcve.org/view.php?id=CVE-2023-48786
10 Jun 2025 — A server-side request forgery vulnerability [CWE-918] in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-342 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-32119
https://notcve.org/view.php?id=CVE-2024-32119
10 Jun 2025 — An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-375 • CWE-1390: Weak Authentication •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-22855
https://notcve.org/view.php?id=CVE-2025-22855
08 Apr 2025 — An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code. • https://fortiguard.fortinet.com/psirt/FG-IR-23-344 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0CVE-2024-23106
https://notcve.org/view.php?id=CVE-2024-23106
14 Jan 2025 — An improper restriction of excessive authentication attempts [CWE-307] in FortiClientEMS version 7.2.0 through 7.2.4 and before 7.0.10 allows an unauthenticated attacker to try a brute force attack against the FortiClientEMS console via crafted HTTP or HTTPS requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-476 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 3.7EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36506
https://notcve.org/view.php?id=CVE-2024-36506
14 Jan 2025 — An improper verification of source of a communication channel vulnerability [CWE-940] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, 6.4 all versions may allow a remote attacker to bypass the trusted host feature via session connection. • https://fortiguard.fortinet.com/psirt/FG-IR-24-078 • CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2024-36510
https://notcve.org/view.php?id=CVE-2024-36510
14 Jan 2025 — An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to enumerate valid users via observing login request responses. • https://fortiguard.fortinet.com/psirt/FG-IR-24-071 • CWE-204: Observable Response Discrepancy •
CVSS: 7.3EPSS: 0%CPEs: 9EXPL: 0CVE-2024-21753
https://notcve.org/view.php?id=CVE-2024-21753
10 Sep 2024 — A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiClientEMS versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.13, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8, 1.2.1 through 1.2.5 allows attacker to perform a denial of service, read or write a limited number of files via specially crafted HTTP requests Una limitación incorrecta de una ruta de acceso a un directorio restringido ("ruta de acceso") en las versiones 7.2.0 a 7.2.4, 7.0.0 a 7.0.13, 6.... • https://fortiguard.fortinet.com/psirt/FG-IR-23-362 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 6%CPEs: 2EXPL: 0CVE-2024-33508
https://notcve.org/view.php?id=CVE-2024-33508
10 Sep 2024 — An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in Fortinet FortiClientEMS 7.2.0 through 7.2.4, 7.0.0 through 7.0.12 may allow an unauthenticated attacker to execute limited and temporary operations on the underlying database via crafted requests. Una neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando ('Inyección de comando') [CWE-77] en Fortinet FortiClientEMS 7.2.0 a 7.2.4, 7.0.0 a 7.0.12 puede permiti... • https://fortiguard.fortinet.com/psirt/FG-IR-24-123 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •