5 results (0.011 seconds)

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and passwords in cleartext, which allows remote administrators to obtain sensitive information by reading the log at debug/startup/. Fortinet FortiAuthenticator 3.0.0 registra los nombres de usuarios y las contraseñas de PostgreSQL en texto plano, lo que permite a administradores remotos obtener información sensible mediante la lectura del registro en debug/startup/. • http://packetstormsecurity.com/files/130156/Fortinet-FortiAuthenticator-XSS-Disclosure-Bypass.html http://www.fortiguard.com/advisory/FG-IR-15-003 http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf http://www.securityfocus.com/bid/72378 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 2

Fortinet FortiAuthenticator 3.0.0 allows local users to bypass intended restrictions and gain privileges by creating /tmp/privexec/dbgcore_enable_shell_access and executing the "shell" command. Fortinet FortiAuthenticator 3.0.0 permite a usuarios locales evadir las restricciones y ganar privilegios mediante la creación de /tmp/privexec/dbgcore_enable_shell_access y la ejecución del comando 'shell'. • http://packetstormsecurity.com/files/130156/Fortinet-FortiAuthenticator-XSS-Disclosure-Bypass.html http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf http://www.securityfocus.com/bid/72378 https://exchange.xforce.ibmcloud.com/vulnerabilities/100559 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3

Cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the operation parameter to cert/scep/. Vulnerabilidad de XSS en Fortinet FortiAuthenticator 3.0.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro operation en cert/scep/. • http://packetstormsecurity.com/files/130156/Fortinet-FortiAuthenticator-XSS-Disclosure-Bypass.html http://secunia.com/advisories/62836 http://www.fortiguard.com/advisory/FG-IR-15-003 http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf http://www.securityfocus.com/bid/72378 https://exchange.xforce.ibmcloud.com/vulnerabilities/100561 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the slony PostgreSQL user and (2) www-data for the www-data PostgreSQL user, which makes it easier for remote attackers to obtain access via unspecified vectors. Fortinet FortiAuthenticator 3.0.0 tiene una contraseña de (1) slony para el usuario de PostgreSQL de slony y (2) www-data para el usuario de PostgreSQL de www-data, lo que facilita a atacantes remotos obtener acceso a través de vectores no especificados. • http://packetstormsecurity.com/files/130156/Fortinet-FortiAuthenticator-XSS-Disclosure-Bypass.html http://www.fortiguard.com/advisory/FG-IR-15-003 http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf http://www.securityfocus.com/bid/72378 • CWE-255: Credentials Management Errors •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 2

Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command. Fortinet FortiAuthenticator 3.0.0 permite a usuarios locales leer ficheros arbitrarios a través del indicador -f en el comando dig. • http://packetstormsecurity.com/files/130156/Fortinet-FortiAuthenticator-XSS-Disclosure-Bypass.html http://www.fortiguard.com/advisory/FG-IR-15-003 http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiAuthenticator_Multiple_Vulnerabilities.pdf http://www.securityfocus.com/bid/72378 https://exchange.xforce.ibmcloud.com/vulnerabilities/100560 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •