CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48789
https://notcve.org/view.php?id=CVE-2023-48789
A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests. Una aplicación de la seguridad del lado del servidor en Fortinet FortiPortal versión 6.0.0 a 6.0.14 permite al atacante realizar un control de acceso inadecuado a través de solicitudes HTTP manipuladas. • https://fortiguard.fortinet.com/psirt/FG-IR-23-406 • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 6.7EPSS: 0%CPEs: 11EXPL: 0CVE-2023-41842
https://notcve.org/view.php?id=CVE-2023-41842
A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiManager version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer-BigData before 7.2.5 and Fortinet FortiPortal version 6.0 all versions and version 5.3 all versions allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments. Un uso de vulnerabilidad de cadena de formato controlada externamente [CWE-134] en Fortinet FortiManager versión 7.4.0 a 7.4.1, versión 7.2.0 a 7.2.3 y anteriores a 7.0.10, Fortinet FortiAnalyzer versión 7.4.0 a 7.4.1 , versión 7.2.0 a 7.2.3 y anteriores a 7.0.10, Fortinet FortiAnalyzer-BigData anterior a 7.2.5 y Fortinet FortiPortal versión 6.0 todas las versiones y la versión 5.3 todas las versiones permite a un atacante privilegiado ejecutar código o comandos no autorizados a través de argumentos de comando especialmente manipulados. • https://fortiguard.com/psirt/FG-IR-23-304 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48783
https://notcve.org/view.php?id=CVE-2023-48783
An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests. Una vulnerabilidad de omisión de autorización a través de clave controlada por el usuario [CWE-639] que afecta a PortiPortal versión 7.2.1 e inferior, versión 7.0.6 e inferior, versión 6.0.14 e inferior, versión 5.3.8 e inferior puede permitir que un usuario autenticado remotamente con al menos permisos de solo lectura para acceder a otros endpoints de la organización a través de solicitudes GET manipuladas. • https://fortiguard.com/psirt/FG-IR-23-408 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0CVE-2022-27490
https://notcve.org/view.php?id=CVE-2022-27490
A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.x, 6.0.x allows an attacker which has obtained access to a restricted administrative account to obtain sensitive information via `diagnose debug` commands. • https://fortiguard.com/psirt/FG-IR-18-232 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41336
https://notcve.org/view.php?id=CVE-2022-41336
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via sending request with specially crafted columnindex parameter. • https://fortiguard.com/psirt/FG-IR-22-313 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •