CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45327
https://notcve.org/view.php?id=CVE-2024-45327
An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-048 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2023-26211
https://notcve.org/view.php?id=CVE-2023-26211
An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module. • https://fortiguard.com/psirt/FG-IR-23-088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-23775
https://notcve.org/view.php?id=CVE-2023-23775
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerabilities [CWE-89] in FortiSOAR 7.2.0 and before 7.0.3 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters. Múltiples vulnerabilidades de neutralización inadecuada de elementos especiales utilizados en comandos SQL ("Inyección SQL") [CWE-89] en FortiSOAR 7.2.0 y anteriores a 7.0.3 pueden permitir que un atacante autenticado ejecute código o comandos no autorizados a través de parámetros de cadenas específicamente manipulados. • https://fortiguard.com/psirt/FG-IR-22-448 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31493
https://notcve.org/view.php?id=CVE-2024-31493
An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3.0, version 7.2.2 and below, version 7.0.3 and below may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses. Una eliminación inadecuada de información confidencial antes de la vulnerabilidad de almacenamiento o transferencia [CWE-212] en FortiSOAR versión 7.3.0, versión 7.2.2 e inferiores, versión 7.0.3 e inferiores puede permitir que un usuario autenticado con privilegios bajos lea las contraseñas del conector en formato texto plano a través de respuestas HTTP. • https://fortiguard.fortinet.com/psirt/FG-IR-24-052 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27995
https://notcve.org/view.php?id=CVE-2023-27995
A improper neutralization of special elements used in a template engine vulnerability in Fortinet FortiSOAR 7.3.0 through 7.3.1 allows an authenticated, remote attacker to execute arbitrary code via a crafted payload. • https://fortiguard.com/psirt/FG-IR-23-051 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •