CVSS: 3.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-55593
https://notcve.org/view.php?id=CVE-2024-55593
14 Jan 2025 — A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries • https://fortiguard.fortinet.com/psirt/FG-IR-24-465 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-36509
https://notcve.org/view.php?id=CVE-2024-36509
12 Nov 2024 — An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page. • https://fortiguard.fortinet.com/psirt/FG-IR-24-180 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-33509
https://notcve.org/view.php?id=CVE-2024-33509
09 Jul 2024 — An improper certificate validation vulnerability [CWE-295] in FortiWeb 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions and 6.3 all versions may allow a remote and unauthenticated attacker in a Man-in-the-Middle position to decipher and/or tamper with the communication channel between the device and different endpoints used to fetch data for Web Application Firewall (WAF). • https://fortiguard.fortinet.com/psirt/FG-IR-22-326 • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 0CVE-2024-23665
https://notcve.org/view.php?id=CVE-2024-23665
03 Jun 2024 — Multiple improper authorization vulnerabilities [CWE-285] in FortiWeb version 7.4.2 and below, version 7.2.7 and below, version 7.0.10 and below, version 6.4.3 and below, version 6.3.23 and below may allow an authenticated attacker to perform unauthorized ADOM operations via crafted requests. Múltiples vulnerabilidades de autorización inadecuada [CWE-285] en FortiWeb versión 7.4.2 y anteriores, versión 7.2.7 y siguientes, versión 7.0.10 y siguientes, versión 6.4.3 y siguientes, versión 6.3.23 y siguientes p... • https://fortiguard.fortinet.com/psirt/FG-IR-23-474 • CWE-285: Improper Authorization •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23107
https://notcve.org/view.php?id=CVE-2024-23107
03 Jun 2024 — An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiWeb version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, 6.3 all versions may allow an authenticated attacker to read password hashes of other administrators via CLI commands. Una exposición de información confidencial a una vulnerabilidad de actor no autorizado [CWE-200] en FortiWeb versión 7.4.0, versión 7.2.4 e inferiores, versión 7.0.8 e inferiores, 6.3 todas las versiones puede permitir que un atac... • https://fortiguard.fortinet.com/psirt/FG-IR-23-191 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46713
https://notcve.org/view.php?id=CVE-2023-46713
13 Dec 2023 — An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application. Una neutralización de salida inadecuada para los registros en Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 y 7.4.0 puede permitir que un atacante falsifique registros de tráfico a través de una URL manipulada de la aplicación web. • https://fortiguard.com/psirt/FG-IR-23-256 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-34984
https://notcve.org/view.php?id=CVE-2023-34984
13 Sep 2023 — A protection mechanism failure in Fortinet FortiWeb 7.2.0 through 7.2.1, 7.0.0 through 7.0.6, 6.4.0 through 6.4.3, 6.3.6 through 6.3.23 allows attacker to execute unauthorized code or commands via specially crafted HTTP requests. Una falla en el mecanismo de protección en Fortinet FortiWeb 7.2.0 a 7.2.1, 7.0.0 a 7.0.6, 6.4.0 a 6.4.3, 6.3.6 a 6.3.23 permite a un atacante ejecutar código o comandos no autorizados a través peticiones HTTP especialmente manipuladas. • https://fortiguard.com/psirt/FG-IR-23-068 • CWE-693: Protection Mechanism Failure •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-23777
https://notcve.org/view.php?id=CVE-2023-23777
11 Jul 2023 — An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.18 and below may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters. • https://fortiguard.com/psirt/FG-IR-22-131 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 20EXPL: 0CVE-2023-33305
https://notcve.org/view.php?id=CVE-2023-33305
13 Jun 2023 — A loop with unreachable exit condition ('infinite loop') in Fortinet FortiOS version 7.2.0 through 7.2.4, FortiOS version 7.0.0 through 7.0.10, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiProxy version 7.2.0 through 7.2.3, FortiProxy version 7.0.0 through 7.0.9, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1 all versions, FortiProxy 1.0 all versions, FortiWeb version 7.2.0 through 7.2.1, FortiWeb version 7.0.0 through 7.0.6, FortiWeb 6.4 all v... • https://fortiguard.com/psirt/FG-IR-22-375 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-43955
https://notcve.org/view.php?id=CVE-2022-43955
11 Apr 2023 — An improper neutralization of input during web page generation [CWE-79] in the FortiWeb web interface 7.0.0 through 7.0.3, 6.3.0 through 6.3.21, 6.4 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report. • https://fortiguard.com/psirt/FG-IR-22-428 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •