CVSS: 7.6EPSS: 0%CPEs: 16EXPL: 0CVE-2024-50565
https://notcve.org/view.php?id=CVE-2024-50565
08 Apr 2025 — A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyze... • https://fortiguard.fortinet.com/psirt/FG-IR-24-046 • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46671
https://notcve.org/view.php?id=CVE-2024-46671
08 Apr 2025 — An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-184 • CWE-286: Incorrect User Management •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25254
https://notcve.org/view.php?id=CVE-2025-25254
08 Apr 2025 — An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-474 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 7%CPEs: 42EXPL: 1CVE-2023-25610
https://notcve.org/view.php?id=CVE-2023-25610
24 Mar 2025 — A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifi... • https://github.com/qi4L/CVE-2023-25610 • CWE-124: Buffer Underwrite ('Buffer Underflow') •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-55594
https://notcve.org/view.php?id=CVE-2024-55594
14 Mar 2025 — An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-115 • CWE-228: Improper Handling of Syntactically Invalid Structure •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29059
https://notcve.org/view.php?id=CVE-2022-29059
14 Mar 2025 — An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters. An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 a... • https://fortiguard.com/psirt/FG-IR-22-140 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 19EXPL: 0CVE-2024-45324
https://notcve.org/view.php?id=CVE-2024-45324
11 Mar 2025 — A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute ... • https://fortiguard.fortinet.com/psirt/FG-IR-24-325 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-42784
https://notcve.org/view.php?id=CVE-2023-42784
11 Mar 2025 — An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-115 • CWE-228: Improper Handling of Syntactically Invalid Structure •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-55597 – Fortinet FortiWeb cgi_xmlprotection_xmlschemafile_post Directory Traversal Arbitrary File Write Vulnerability
https://notcve.org/view.php?id=CVE-2024-55597
11 Mar 2025 — A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiWeb versions 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted requests. This vulnerability allows remote attackers to create arbitrary XML schema files on affected installations of Fortinet FortiWeb. Authentication is required to exploit this vulnerability. The specific flaw exists within the cgi_xmlprotection_xmlschemafile_post function. The issue results from the lack o... • https://fortiguard.fortinet.com/psirt/FG-IR-24-439 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50569 – Fortinet FortiWeb gui_upload_compress_act Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-50569
11 Feb 2025 — A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fortinet FortiWeb. Authentication is required to exploit this vulnerability. The specific flaw exists within the gui_upload_compress_act function. The issue results from the lack of proper validation of a... • https://fortiguard.fortinet.com/psirt/FG-IR-24-438 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •