CVSS: 4.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-40590
https://notcve.org/view.php?id=CVE-2024-40590
14 Mar 2025 — An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints. An improper certificate validation vulnerability [CWE-295] in FortiPo... • https://fortiguard.fortinet.com/psirt/FG-IR-22-155 • CWE-295: Improper Certificate Validation •
CVSS: 8.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24470
https://notcve.org/view.php?id=CVE-2025-24470
11 Feb 2025 — An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests. An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-25-015 • CWE-41: Improper Resolution of Path Equivalence •
CVSS: 4.7EPSS: 0%CPEs: 99EXPL: 0CVE-2022-23439
https://notcve.org/view.php?id=CVE-2022-23439
22 Jan 2025 — A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.... • https://fortiguard.com/psirt/FG-IR-21-254 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35278
https://notcve.org/view.php?id=CVE-2024-35278
14 Jan 2025 — A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-side when submitting an HTTP request, via including special elements in said request. • https://fortiguard.fortinet.com/psirt/FG-IR-24-086 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52967
https://notcve.org/view.php?id=CVE-2024-52967
14 Jan 2025 — An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection. • https://fortiguard.fortinet.com/psirt/FG-IR-24-211 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: 0%CPEs: 24EXPL: 0CVE-2024-26011
https://notcve.org/view.php?id=CVE-2024-26011
12 Nov 2024 — A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, ... • https://fortiguard.fortinet.com/psirt/FG-IR-24-032 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47543
https://notcve.org/view.php?id=CVE-2023-47543
12 Nov 2024 — An authorization bypass through user-controlled key vulnerability [CWE-639] in Fortinet FortiPortal version 7.0.0 through 7.0.3 allows an authenticated attacker to interact with ressources of other organizations via HTTP or HTTPS requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-448 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21759
https://notcve.org/view.php?id=CVE-2024-21759
09 Jul 2024 — An authorization bypass through user-controlled key in Fortinet FortiPortal version 7.2.0, and versions 7.0.0 through 7.0.6 allows attacker to view unauthorized resources via HTTP or HTTPS requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-011 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-31495
https://notcve.org/view.php?id=CVE-2024-31495
11 Jun 2024 — A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality. Una neutralización inadecuada de elementos especiales utilizados en un comando sql ("inyección sql") en las versiones 7.0.0 a 7.0.6 y 7.2.0 de Fortinet FortiPortal permite a un usuario privilegiado obtener información no autorizada a través de la funcionali... • https://fortiguard.fortinet.com/psirt/FG-IR-24-128 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48789
https://notcve.org/view.php?id=CVE-2023-48789
03 Jun 2024 — A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests. Una aplicación de la seguridad del lado del servidor en Fortinet FortiPortal versión 6.0.0 a 6.0.14 permite al atacante realizar un control de acceso inadecuado a través de solicitudes HTTP manipuladas. • https://fortiguard.fortinet.com/psirt/FG-IR-23-406 • CWE-602: Client-Side Enforcement of Server-Side Security •