CVSS: 4.7EPSS: 0%CPEs: 99EXPL: 0CVE-2022-23439
https://notcve.org/view.php?id=CVE-2022-23439
22 Jan 2025 — A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.... • https://fortiguard.com/psirt/FG-IR-21-254 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 6.7EPSS: 0%CPEs: 5EXPL: 0CVE-2024-56497
https://notcve.org/view.php?id=CVE-2024-56497
14 Jan 2025 — An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.6 and 6.4.0 through 6.4.7, FortiRecorder versions 7.0.0 and 6.4.0 through 6.4.4 allows attacker to execute unauthorized code or commands via the CLI. • https://fortiguard.fortinet.com/psirt/FG-IR-23-170 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 18EXPL: 0CVE-2022-27488
https://notcve.org/view.php?id=CVE-2022-27488
13 Dec 2023 — A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests. Cross-Site Request ... • https://fortiguard.com/psirt/FG-IR-22-038 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-36633
https://notcve.org/view.php?id=CVE-2023-36633
14 Nov 2023 — An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests. Una vulnerabilidad de autorización inadecuada [CWE-285] en el correo web FortiMail versión 7.2.0 a 7.2.2 y anteriores a 7.0.5 permite a un atacante autenticado ver y modificar el título de las carpetas de la libreta de direcciones de otros usuarios a través de... • https://fortiguard.com/psirt/FG-IR-23-203 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-45582
https://notcve.org/view.php?id=CVE-2023-45582
14 Nov 2023 — An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 and before 6.4.8 may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts. Una vulnerabilidad de restricción inadecuada de intentos excesivos de autenticación [CWE-307] en el correo web FortiMail versión 7.2.0 a 7.2.4, 7.0.0 a 7.0.6 y anteriores a 6.4.8 puede permitir que un atacante no au... • https://fortiguard.com/psirt/FG-IR-23-287 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2023-36556
https://notcve.org/view.php?id=CVE-2023-36556
10 Oct 2023 — An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via crafted HTTP or HTTPs requests. Una vulnerabilidad de autorización incorrecta [CWE-863] en el correo web FortiMail versión 7.2.0 a 7.2.2, versión 7.0.0 a 7.0.5 e inferior a 6.4.7 permite a un atacante autenticado iniciar sesión en cuentas de otros usuarios desde el mismo ... • https://fortiguard.com/psirt/FG-IR-23-202 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29056
https://notcve.org/view.php?id=CVE-2022-29056
09 Mar 2023 — A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form. A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to parti... • https://fortiguard.com/psirt/FG-IR-20-078 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.6EPSS: 0%CPEs: 24EXPL: 0CVE-2022-26122
https://notcve.org/view.php?id=CVE-2022-26122
02 Nov 2022 — An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168 and below and version 6.4.274 and below may allow an attacker to bypass the AV engine via manipulating MIME attachment with junk and pad characters in base64. Una verificación insuficiente de la vulnerabilidad de autenticidad de datos [CWE-345] en los motores FortiClient, FortiMail y FortiOS AV versión 6.2.168 e inferiores y la versión 6.4.274 e inferiores puede permitir... • https://fortiguard.com/psirt/FG-IR-22-074 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2022-39945
https://notcve.org/view.php?id=CVE-2022-39945
02 Nov 2022 — An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR). Una vulnerabilidad de control de acceso inadecuado [CWE-284] en FortiMail 7.2.0, 7.0.0 a 7.0.3, 6.4 todas las versiones, 6.2 todas las versiones, 6.0 todas las versiones puede permitir que un usuario admini... • https://fortiguard.com/psirt/FG-IR-22-066 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26114
https://notcve.org/view.php?id=CVE-2022-26114
06 Sep 2022 — An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages. Una vulnerabilidad de neutralización inapropiada de la entrada durante la generación de la página web [CWE-79] en el Webmail de FortiMail versiones anteriores a 7.2.0 puede permitir a un atacante no autenticado desencadenar un ataque de tipo cross-site sc... • https://fortiguard.com/psirt/FG-IR-21-045 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •