Filtered by vendor Fortinet
Subscribe
Total
1059 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9287 | 1 Fortinet | 1 Forticlient Emergency Management Server | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
|
An Unsafe Search Path vulnerability in FortiClient EMS online installer 6.2.1 and below may allow a local attacker with control over the directory in which FortiClientEMSOnlineInstaller.exe resides to execute arbitrary code on the system via uploading malicious Filter Library DLL files in that directory.
|
|||||
| CVE-2020-9286 | 1 Fortinet | 2 Fortiadc, Fortiadc Firmware | 2024-11-21 | 6.8 MEDIUM | 6.5 MEDIUM |
|
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.
|
|||||
| CVE-2020-6649 | 1 Fortinet | 1 Fortiisolator | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
|
|||||
| CVE-2020-6648 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-11-21 | 4.0 MEDIUM | 5.3 MEDIUM |
|
A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the "diag sys ha checksum show" command.
|
|||||
| CVE-2020-6647 | 1 Fortinet | 1 Fortiadc Firmware | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
|
|||||
| CVE-2020-6646 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message.
|
|||||
| CVE-2020-6644 | 1 Fortinet | 1 Fortideceptor | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.
|
|||||
| CVE-2020-6643 | 1 Fortinet | 1 Fortiisolator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack (XSS).
|
|||||
| CVE-2020-6641 | 1 Fortinet | 1 Fortipresence | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Two authorization bypass through user-controlled key vulnerabilities in the Fortinet FortiPresence 2.1.0 administration interface may allow an attacker to gain access to some user data via portal manager or portal users parameters.
|
|||||
| CVE-2020-6640 | 1 Fortinet | 1 Fortianalyzer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
|
|||||
| CVE-2020-29019 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow a remote, unauthenticated attacker to crash the httpd daemon thread by sending a request with a crafted cookie header.
|
|||||
| CVE-2020-29018 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A format string vulnerability in FortiWeb 6.3.0 through 6.3.5 may allow an authenticated, remote attacker to read the content of memory and retrieve sensitive data via the redir parameter.
|
|||||
| CVE-2020-29017 | 1 Fortinet | 1 Fortideceptor | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
An OS command injection vulnerability in FortiDeceptor 3.1.0, 3.0.1, 3.0.0 may allow a remote authenticated attacker to execute arbitrary commands on the system by exploiting a command injection vulnerability on the Customization page.
|
|||||
| CVE-2020-29016 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through 6.3.5 and version before 6.2.4 may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.
|
|||||
| CVE-2020-29015 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.
|
|||||
| CVE-2020-29014 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 6.3 MEDIUM | 6.3 MEDIUM |
|
A concurrent execution using shared resource with improper synchronization ('race condition') in the command shell of FortiSandbox before 3.2.2 may allow an authenticated attacker to bring the system into an unresponsive state via specifically orchestrated sequences of commands.
|
|||||
| CVE-2020-29013 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
An improper input validation vulnerability in the sniffer interface of FortiSandbox before 3.2.2 may allow an authenticated attacker to silently halt the sniffer via specifically crafted requests.
|
|||||
| CVE-2020-29012 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 5.0 MEDIUM | 5.6 MEDIUM |
|
An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
|
|||||
| CVE-2020-29011 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Instances of SQL Injection vulnerabilities in the checksum search and MTA-quarantine modules of FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests.
|
|||||
| CVE-2020-15942 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An information disclosure vulnerability in Web Vulnerability Scan profile of Fortinet's FortiWeb version 6.2.x below 6.2.4 and version 6.3.x below 6.3.5 may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.
|
|||||
| CVE-2020-15941 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.
|
|||||
| CVE-2020-15940 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
|
An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server.
|
|||||
| CVE-2020-15939 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.
|
|||||
| CVE-2020-15938 | 1 Fortinet | 1 Fortios | 2024-11-21 | 4.3 MEDIUM | 4.0 MEDIUM |
|
When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate in version below 6.2.5 and below 6.4.2 on port 80/443, it is not redirected to the transparent proxy policy for processing, as it doesn't have a valid HTTP header.
|
|||||
| CVE-2020-15937 | 1 Fortinet | 1 Fortios | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
|
An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard.
|
|||||
| CVE-2020-15936 | 1 Fortinet | 1 Fortios | 2024-11-21 | 4.0 MEDIUM | 2.6 LOW |
|
A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets.
|
|||||
| CVE-2020-15935 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A cleartext storage of sensitive information in GUI in FortiADC versions 5.4.3 and below, 6.0.0 and below may allow a remote authenticated attacker to retrieve some sensitive information such as users LDAP passwords and RADIUS shared secret by deobfuscating the passwords entry fields.
|
|||||
| CVE-2020-15933 | 1 Fortinet | 1 Fortimail | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A exposure of sensitive information to an unauthorized actor in Fortinet FortiMail versions 6.0.9 and below, FortiMail versions 6.2.4 and below FortiMail versions 6.4.1 and 6.4.0 allows attacker to obtain potentially sensitive software-version information via client-side resources inspection.
|
|||||
| CVE-2020-12818 | 1 Fortinet | 36 Fortigate 1000d, Fortigate 100e, Fortigate 100f and 33 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
An insufficient logging vulnerability in FortiGate before 6.4.1 may allow the traffic from an unauthenticated attacker to Fortinet owned IP addresses to go unnoticed.
|
|||||
| CVE-2020-12817 | 1 Fortinet | 2 Fortianalyzer, Fortitester | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An improper neutralization of input vulnerability in FortiAnalyzer before 6.4.1 and 6.2.5 may allow a remote authenticated attacker to inject script related HTML tags via Name parameter of Storage Connectors.
|
|||||
| CVE-2020-12816 | 1 Fortinet | 1 Fortinac | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An improper neutralization of input vulnerability in FortiNAC before 8.7.2 may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the UserID of Admin Users.
|
|||||
| CVE-2020-12815 | 1 Fortinet | 2 Fortianalyzer, Fortitester | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields.
|
|||||
| CVE-2020-12814 | 1 Fortinet | 1 Fortianalyzer | 2024-11-21 | 3.5 LOW | 4.1 MEDIUM |
|
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.
|
|||||
| CVE-2020-12811 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
An improper neutralization of script-related HTML tags in a web page in FortiManager 6.2.0, 6.2.1, 6.2.2, and 6.2.3and FortiAnalyzer 6.2.0, 6.2.1, 6.2.2, and 6.2.3 may allow an attacker to execute a cross site scripting (XSS) via the Identify Provider name field.
|
|||||
| CVE-2019-6700 | 1 Fortinet | 1 Fortisiem | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An information exposure vulnerability in the external authentication profile form of FortiSIEM 5.2.2 and earlier may allow an authenticated attacker to retrieve the external authentication password via the HTML source code.
|
|||||
| CVE-2019-6699 | 1 Fortinet | 1 Fortiadc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.
|
|||||
| CVE-2019-6698 | 1 Fortinet | 4 Fortirecorder 100d, Fortirecorder 200d, Fortirecorder 400d and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Use of Hard-coded Credentials vulnerability in FortiRecorder all versions below 2.7.4 may allow an unauthenticated attacker with knowledge of the aforementioned credentials and network access to FortiCameras to take control of those, provided they are managed by a FortiRecorder device.
|
|||||
| CVE-2019-6696 | 1 Fortinet | 1 Fortios | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
|
An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage.
|
|||||
| CVE-2019-6695 | 1 Fortinet | 1 Fortimanager | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, 6.0.6 and below may allow an attacker to implant third-party programs by recreating the image through specific methods.
|
|||||
| CVE-2019-6692 | 1 Fortinet | 1 Forticlient | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
A malicious DLL preload vulnerability in Fortinet FortiClient for Windows 6.2.0 and below allows a privileged attacker to perform arbitrary code execution via forging that DLL.
|
|||||