CVE-2022-23447
https://notcve.org/view.php?id=CVE-2022-23447
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-039 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-27489
https://notcve.org/view.php?id=CVE-2022-27489
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. • https://fortiguard.com/psirt/FG-IR-22-048 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-15710
https://notcve.org/view.php?id=CVE-2019-15710
An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands. Una vulnerabilidad de inyección de comandos de Sistema Operativo en FortiExtender versión 4.1.0 a 4.1.1, versión 4.0.0 y anteriores en la consola de administración de la CLI puede permitir que administradores no autorizados ejecuten comandos arbitrarios a nivel del sistema por medio de comandos de "execute date" especialmente diseñados. • https://fortiguard.com/psirt/FG-IR-19-273 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •