CVSS: 8.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21760
https://notcve.org/view.php?id=CVE-2024-21760
18 Mar 2025 — An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet. • https://fortiguard.fortinet.com/psirt/FG-IR-23-420 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.7EPSS: 0%CPEs: 99EXPL: 0CVE-2022-23439
https://notcve.org/view.php?id=CVE-2022-23439
22 Jan 2025 — A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.... • https://fortiguard.com/psirt/FG-IR-21-254 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2024-36510
https://notcve.org/view.php?id=CVE-2024-36510
14 Jan 2025 — An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to enumerate valid users via observing login request responses. • https://fortiguard.fortinet.com/psirt/FG-IR-24-071 • CWE-204: Observable Response Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45327
https://notcve.org/view.php?id=CVE-2024-45327
11 Sep 2024 — An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-048 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-26211
https://notcve.org/view.php?id=CVE-2023-26211
13 Aug 2024 — An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module. • https://fortiguard.com/psirt/FG-IR-23-088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-23775
https://notcve.org/view.php?id=CVE-2023-23775
11 Jun 2024 — Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerabilities [CWE-89] in FortiSOAR 7.2.0 and before 7.0.3 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters. Múltiples vulnerabilidades de neutralización inadecuada de elementos especiales utilizados en comandos SQL ("Inyección SQL") [CWE-89] en FortiSOAR 7.2.0 y anteriores a 7.0.3 pueden permitir que un atacante autenticado ejecute código o co... • https://fortiguard.com/psirt/FG-IR-22-448 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31493
https://notcve.org/view.php?id=CVE-2024-31493
03 Jun 2024 — An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3.0, version 7.2.2 and below, version 7.0.3 and below may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses. Una eliminación inadecuada de información confidencial antes de la vulnerabilidad de almacenamiento o transferencia [CWE-212] en FortiSOAR versión 7.3.0, versión 7.2.2 e inferiores, versión 7.0.3 e inferiores puede permitir que un... • https://fortiguard.fortinet.com/psirt/FG-IR-24-052 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38379
https://notcve.org/view.php?id=CVE-2022-38379
06 Dec 2022 — Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR. La neutralización incorrecta de la entrada durante la generación de la página web [CWE-79] en FortiSOAR 7.0.0 hasta 7.0.3 y 7.2.0 puede permitir que un atacante autenticado inyecte etiquetas HTML a través de campos de entrada de varios componentes dentro de FortiSOAR. • https://fortiguard.com/psirt/FG-IR-22-220 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42473
https://notcve.org/view.php?id=CVE-2022-42473
02 Nov 2022 — A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and 7.2.0 allows an attacker to disclose information via logging into the database using a privileged account without a password. Una autenticación faltante para una vulnerabilidad de función crítica en Fortinet FortiSOAR 6.4.0 - 6.4.4 y 7.0.0 - 7.0.3 y 7.2.0 permite a un atacante revelar información iniciando sesión en la base de datos usando una cuenta privilegiada sin contraseña. • https://fortiguard.com/psirt/FG-IR-22-216 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29061
https://notcve.org/view.php?id=CVE-2022-29061
09 Sep 2022 — An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP GET requests. Una vulnerabilidad de neutralización inapropiada de los elementos especiales usados en un comando OS ("Inyección de comandos del Sistema Operativo") [CWE-78] en Fortinet FortiSOAR versiones anteriores a 7.2.1, permite a un atacante autenticado ejecutar có... • https://fortiguard.com/psirt/FG-IR-22-156 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •