CVE-2024-36509
https://notcve.org/view.php?id=CVE-2024-36509
An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page. • https://fortiguard.fortinet.com/psirt/FG-IR-24-180 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVE-2024-33509
https://notcve.org/view.php?id=CVE-2024-33509
An improper certificate validation vulnerability [CWE-295] in FortiWeb 7.2.0 through 7.2.1, 7.0 all versions, 6.4 all versions and 6.3 all versions may allow a remote and unauthenticated attacker in a Man-in-the-Middle position to decipher and/or tamper with the communication channel between the device and different endpoints used to fetch data for Web Application Firewall (WAF). • https://fortiguard.fortinet.com/psirt/FG-IR-22-326 • CWE-295: Improper Certificate Validation •
CVE-2024-23665
https://notcve.org/view.php?id=CVE-2024-23665
Multiple improper authorization vulnerabilities [CWE-285] in FortiWeb version 7.4.2 and below, version 7.2.7 and below, version 7.0.10 and below, version 6.4.3 and below, version 6.3.23 and below may allow an authenticated attacker to perform unauthorized ADOM operations via crafted requests. Múltiples vulnerabilidades de autorización inadecuada [CWE-285] en FortiWeb versión 7.4.2 y anteriores, versión 7.2.7 y siguientes, versión 7.0.10 y siguientes, versión 6.4.3 y siguientes, versión 6.3.23 y siguientes pueden permitir un atacante autenticado para realizar operaciones ADOM no autorizadas a través de solicitudes manipuladas. • https://fortiguard.fortinet.com/psirt/FG-IR-23-474 • CWE-285: Improper Authorization •
CVE-2024-23107
https://notcve.org/view.php?id=CVE-2024-23107
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiWeb version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, 6.3 all versions may allow an authenticated attacker to read password hashes of other administrators via CLI commands. Una exposición de información confidencial a una vulnerabilidad de actor no autorizado [CWE-200] en FortiWeb versión 7.4.0, versión 7.2.4 e inferiores, versión 7.0.8 e inferiores, 6.3 todas las versiones puede permitir que un atacante autenticado lea hashes de contraseñas de otros administradores a través de comandos CLI. • https://fortiguard.fortinet.com/psirt/FG-IR-23-191 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-46713
https://notcve.org/view.php?id=CVE-2023-46713
An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application. Una neutralización de salida inadecuada para los registros en Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 y 7.4.0 puede permitir que un atacante falsifique registros de tráfico a través de una URL manipulada de la aplicación web. • https://fortiguard.com/psirt/FG-IR-23-256 • CWE-117: Improper Output Neutralization for Logs •