CVE-2022-22302
https://notcve.org/view.php?id=CVE-2022-22302
A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem. • https://fortiguard.com/psirt/FG-IR-20-014 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2023-26208
https://notcve.org/view.php?id=CVE-2023-26208
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form. • https://fortiguard.com/psirt/FG-IR-20-078 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2021-26116
https://notcve.org/view.php?id=CVE-2021-26116
An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands. Una neutralización inapropiada de los elementos especiales usados en una vulnerabilidad de comandos del Sistema Operativo en el intérprete de línea de comandos de FortiAuthenticator versiones anteriores a 6.3.1, puede permitir a un atacante autenticado ejecutar comandos no autorizados por medio de argumentos específicamente diseñados para comandos existentes • https://fortiguard.com/advisory/FG-IR-21-068 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-36177
https://notcve.org/view.php?id=CVE-2021-36177
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database. Una vulnerabilidad de control de acceso inapropiado [CWE-284] en el servicio FortiAuthenticator HA versiones 6.3.2 y anteriores, 6.2.x, 6.1.x, 6.0.x puede permitir a un atacante en la misma vlan que la interfaz de administración de HA realizar una conexión directa no autenticada a la base de datos de la FAC • https://fortiguard.com/psirt/FG-IR-20-217 •
CVE-2021-22124
https://notcve.org/view.php?id=CVE-2021-22124
An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters. Una vulnerabilidad de consumo no controlado de recursos (denegación de servicio) en los módulos de inicio de sesión de FortiSandbox versiones 3.2.0 hasta 3.2.2, 3.1.0 hasta 3.1.4, y 3.0.0 hasta 3.0.6; y FortiAuthenticator versiones anteriores a 6.0.6, puede permitir a un atacante no autenticado llevar el dispositivo a un estado de no respuesta por medio de parámetros long request específicamente diseñados • https://fortiguard.com/advisory/FG-IR-20-170 • CWE-400: Uncontrolled Resource Consumption •