CVSS: 10.0EPSS: 7%CPEs: 42EXPL: 1CVE-2023-25610
https://notcve.org/view.php?id=CVE-2023-25610
24 Mar 2025 — A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifi... • https://github.com/qi4L/CVE-2023-25610 • CWE-124: Buffer Underwrite ('Buffer Underflow') •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29059
https://notcve.org/view.php?id=CVE-2022-29059
14 Mar 2025 — An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters. An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 a... • https://fortiguard.com/psirt/FG-IR-22-140 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46713
https://notcve.org/view.php?id=CVE-2023-46713
13 Dec 2023 — An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application. Una neutralización de salida inadecuada para los registros en Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 y 7.4.0 puede permitir que un atacante falsifique registros de tráfico a través de una URL manipulada de la aplicación web. • https://fortiguard.com/psirt/FG-IR-23-256 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-43955
https://notcve.org/view.php?id=CVE-2022-43955
11 Apr 2023 — An improper neutralization of input during web page generation [CWE-79] in the FortiWeb web interface 7.0.0 through 7.0.3, 6.3.0 through 6.3.21, 6.4 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report. • https://fortiguard.com/psirt/FG-IR-22-428 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-22297
https://notcve.org/view.php?id=CVE-2022-22297
07 Mar 2023 — An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiWeb version 6.4.0 through 6.4.1, FortiWeb version 6.3.0 through 6.3.17, FortiWeb all versions 6.2, FortiWeb all versions 6.1, FortiWeb all versions 6.0, FortiRecorder version 6.4.0 through 6.4.3, FortiRecorder all versions 6.0, FortiRecorder all versions 2.7 may allow an authenticated user to read arbitrary files via specially crafted command arguments. • https://fortiguard.com/psirt/FG-IR-21-218 • CWE-792: Incomplete Filtering of One or More Instances of Special Elements •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-23778
https://notcve.org/view.php?id=CVE-2023-23778
16 Feb 2023 — A relative path traversal vulnerability [CWE-23] in FortiWeb version 7.0.1 and below, 6.4 all versions, 6.3 all versions, 6.2 all versions may allow an authenticated user to obtain unauthorized access to files and data via specifically crafted web requests. • https://fortiguard.com/psirt/FG-IR-22-142 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-23782
https://notcve.org/view.php?id=CVE-2023-23782
16 Feb 2023 — A heap-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb version 6.3.0 through 6.3.19, FortiWeb 6.4 all versions, FortiWeb 6.2 all versions, FortiWeb 6.1 all versions allows attacker to escalation of privilege via specifically crafted arguments to existing commands. • https://fortiguard.com/psirt/FG-IR-22-111 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-25602
https://notcve.org/view.php?id=CVE-2023-25602
16 Feb 2023 — A stack-based buffer overflow in Fortinet FortiWeb 6.4 all versions, FortiWeb versions 6.3.17 and earlier, FortiWeb versions 6.2.6 and earlier, FortiWeb versions 6.1.2 and earlier, FortiWeb versions 6.0.7 and earlier, FortiWeb versions 5.9.1 and earlier, FortiWeb 5.8 all versions, FortiWeb 5.7 all versions, FortiWeb 5.6 all versions allows attacker to execute unauthorized code or commands via specially crafted command arguments. • https://fortiguard.com/psirt/FG-IR-21-234 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 82%CPEs: 5EXPL: 1CVE-2021-42756
https://notcve.org/view.php?id=CVE-2021-42756
16 Feb 2023 — Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests. Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all ve... • https://github.com/3ndorph1n/CVE-2021-42756 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 2%CPEs: 6EXPL: 0CVE-2021-42761
https://notcve.org/view.php?id=CVE-2021-42761
16 Feb 2023 — A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6... • https://fortiguard.com/psirt/FG-IR-21-214 • CWE-384: Session Fixation •