Filtered by vendor Fortinet
Subscribe
Total
1059 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-50570 | 1 Fortinet | 1 Forticlient | 2025-07-24 | N/A | 5.0 MEDIUM |
|
A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiClientWindows 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13 and FortiClientLinux 7.4.0 through 7.4.2, 7.2.0 through 7.2.7, 7.0.0 through 7.0.13 may permit a local authenticated user to retrieve VPN password via memory dump, due to JavaScript's garbage collector
|
|||||
| CVE-2024-47573 | 1 Fortinet | 1 Fortindr | 2025-07-24 | N/A | 6.5 MEDIUM |
|
An improper validation of integrity check value vulnerability [CWE-354] in FortiNDR version 7.4.2 and below, version 7.2.1 and below, version 7.1.1 and below, version 7.0.6 and below may allow an authenticated attacker with at least Read/Write permission on system maintenance to install a corrupted firmware image.
|
|||||
| CVE-2024-46662 | 1 Fortinet | 2 Fortimanager, Fortimanager Cloud | 2025-07-24 | N/A | 8.8 HIGH |
|
A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to escalation of privilege via specifically crafted packets
|
|||||
| CVE-2024-40590 | 1 Fortinet | 1 Fortiportal | 2025-07-24 | N/A | 4.8 MEDIUM |
|
An improper certificate validation vulnerability [CWE-295] in FortiPortal version 7.4.0, version 7.2.4 and below, version 7.0.8 and below, version 6.0.15 and below when connecting to a FortiManager device, a FortiAnalyzer device, or an SMTP server may allow an unauthenticated attacker in a Man-in-the-Middle position to intercept on and tamper with the encrypted communication channel established between the FortiPortal and those endpoints.
|
|||||
| CVE-2024-55597 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 5.5 MEDIUM |
|
A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiWeb versions 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted requests.
|
|||||
| CVE-2024-52960 | 1 Fortinet | 1 Fortisandbox | 2025-07-24 | N/A | 4.3 MEDIUM |
|
A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.
|
|||||
| CVE-2024-46663 | 1 Fortinet | 1 Fortimail | 2025-07-24 | N/A | 6.7 MEDIUM |
|
A stack-buffer overflow vulnerability [CWE-121] in Fortinet FortiMail CLI version 7.6.0 through 7.6.1 and before 7.4.3 allows a privileged attacker to execute arbitrary code or commands via specifically crafted CLI commands.
|
|||||
| CVE-2024-45328 | 1 Fortinet | 1 Fortisandbox | 2025-07-24 | N/A | 7.8 HIGH |
|
An incorrect authorization vulnerability [CWE-863] in FortiSandbox 4.4.0 through 4.4.6 may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu.
|
|||||
| CVE-2024-40585 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2025-07-23 | N/A | 6.5 MEDIUM |
|
An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiManager version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below and FortiAnalyzer version 7.4.0, version 7.2.3 and below, version 7.0.8 and below, version 6.4.12 and below, version 6.2.11 and below eventlog may allow any low privileged user with access to event log section to retrieve certificate private key and encrypted password logged as system log.
|
|||||
| CVE-2023-33300 | 1 Fortinet | 1 Fortinac | 2025-07-23 | N/A | 5.3 MEDIUM |
|
A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiNAC 7.2.1 and earlier, 9.4.3 and earlier allows attacker a limited, unauthorized file access via specifically crafted request in inter-server communication port.
|
|||||
| CVE-2024-48887 | 1 Fortinet | 1 Fortiswitch | 2025-07-23 | N/A | 9.8 CRITICAL |
|
A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request
|
|||||
| CVE-2025-22855 | 1 Fortinet | 1 Forticlientems | 2025-07-23 | N/A | 2.7 LOW |
|
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code.
|
|||||
| CVE-2024-54025 | 1 Fortinet | 1 Fortiisolator | 2025-07-23 | N/A | 6.7 MEDIUM |
|
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator CLI before version 2.4.6 allows a privileged attacker to execute unauthorized code or commands via crafted CLI requests.
|
|||||
| CVE-2024-54024 | 1 Fortinet | 1 Fortiisolator | 2025-07-23 | N/A | 7.2 HIGH |
|
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator before version 2.4.6 allows a privileged attacker with super-admin profile and CLI access to execute unauthorized code via specifically crafted HTTP requests.
|
|||||
| CVE-2024-52962 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2025-07-23 | N/A | 5.3 MEDIUM |
|
An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiAnalyzer version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.13 and below and FortiManager version 7.6.1 and below, version 7.4.5 and below, version 7.2.8 and below, version 7.0.12 and below may allow an unauthenticated remote attacker to pollute the logs via crafted login requests.
|
|||||
| CVE-2023-33302 | 1 Fortinet | 2 Fortimail, Fortindr | 2025-07-23 | N/A | 4.7 MEDIUM |
|
A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiMail webmail and administrative interface version 6.4.0 through 6.4.4 and before 6.2.6 and FortiNDR administrative interface version 7.2.0 and before 7.1.0 allows an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests.
|
|||||
| CVE-2021-26091 | 1 Fortinet | 1 Fortimail | 2025-07-23 | N/A | 7.5 HIGH |
|
A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.
|
|||||
| CVE-2019-16151 | 1 Fortinet | 1 Fortios | 2025-07-23 | N/A | 4.7 MEDIUM |
|
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS 6.4.1 and below, 6.2.9 and below may allow a remote unauthenticated attacker to either redirect users to malicious websites via a crafted "Host" header or to execute JavaScript code in the victim's browser context.
This happens when the FortiGate has web filtering and category override enabled/configured.
|
|||||
| CVE-2024-55590 | 1 Fortinet | 1 Fortiisolator | 2025-07-23 | N/A | 8.8 HIGH |
|
Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiIsolator version 2.4.0 through 2.4.5 allows an authenticated attacker with at least read-only admin permission and CLI access to execute unauthorized code via specifically crafted CLI commands.
|
|||||
| CVE-2024-54018 | 1 Fortinet | 1 Fortisandbox | 2025-07-23 | N/A | 7.2 HIGH |
|
Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] in FortiSandbox before 4.4.5 allows a privileged attacker to execute unauthorized commands via crafted requests.
|
|||||
| CVE-2023-37933 | 1 Fortinet | 1 Fortiadc | 2025-07-22 | N/A | 8.8 HIGH |
|
An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC GUI version 7.4.0, 7.2.0 through 7.2.1 and before 7.1.3 allows an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests.
|
|||||
| CVE-2025-24470 | 1 Fortinet | 1 Fortiportal | 2025-07-22 | N/A | 8.6 HIGH |
|
An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests.
|
|||||
| CVE-2024-52966 | 1 Fortinet | 1 Fortianalyzer | 2025-07-22 | N/A | 2.3 LOW |
|
An exposure of sensitive information to an unauthorized actor in Fortinet FortiAnalyzer 6.4.0 through 7.6.0 allows attacker to cause information disclosure via filter manipulation.
|
|||||
| CVE-2024-50569 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 6.6 MEDIUM |
|
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.
|
|||||
| CVE-2024-50567 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 7.2 HIGH |
|
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.4.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.
|
|||||
| CVE-2024-40584 | 1 Fortinet | 5 Fortianalyzer, Fortianalyzer Big Data, Fortianalyzer Cloud and 2 more | 2025-07-22 | N/A | 7.2 HIGH |
|
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiManager version 7.4.0 through 7.4.3, 7.2.0 through 7.2.5, 7.0.0 through 7.0.13, 6.4.0 through 6.4.15 and 6.2.2 through 6.2.13, Fortinet FortiAnalyzer BigData version 7.4.0, 7.2.0 through 7.2.7, 7.0.1 through 7.0.6, 6.4.5 thr ...
Show More |
|||||
| CVE-2024-46666 | 1 Fortinet | 1 Fortios | 2025-07-22 | N/A | 5.3 MEDIUM |
|
An allocation of resources without limits or throttling [CWE-770] vulnerability in FortiOS versions 7.6.0, versions 7.4.4 through 7.4.0, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow a remote unauthenticated attacker to prevent access to the GUI via specially crafted requests directed at specific endpoints.
|
|||||
| CVE-2024-36504 | 1 Fortinet | 1 Fortios | 2025-07-22 | N/A | 6.5 MEDIUM |
|
An out-of-bounds read vulnerability [CWE-125] in FortiOS SSLVPN web portal versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, 7.0 all verisons, and 6.4 all versions may allow an authenticated attacker to perform a denial of service on the SSLVPN web portal via a specially crafted URL.
|
|||||
| CVE-2023-37931 | 1 Fortinet | 1 Fortivoice | 2025-07-22 | N/A | 8.8 HIGH |
|
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql injection attack via sending crafted HTTP or HTTPS requests
|
|||||
| CVE-2024-45329 | 1 Fortinet | 1 Fortiportal | 2025-07-22 | N/A | 4.3 MEDIUM |
|
A authorization bypass through user-controlled key in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.8 may allow an authenticated attacker to view unauthorized device information via key modification in API requests.
|
|||||
| CVE-2025-25254 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 7.2 HIGH |
|
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests.
|
|||||
| CVE-2023-48790 | 1 Fortinet | 1 Fortindr | 2025-07-22 | N/A | 7.5 HIGH |
|
A cross site request forgery vulnerability [CWE-352] in Fortinet FortiNDR version 7.4.0, 7.2.0 through 7.2.1 and 7.1.0 through 7.1.1 and before 7.0.5 may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests.
|
|||||
| CVE-2023-42784 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 5.6 MEDIUM |
|
An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.
|
|||||
| CVE-2023-40723 | 1 Fortinet | 1 Fortisiem | 2025-07-22 | N/A | 8.1 HIGH |
|
An exposure of sensitive information to an unauthorized actor in Fortinet FortiSIEM version 6.7.0 through 6.7.4 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 and 6.3.0 through 6.3.3 and 6.2.0 through 6.2.1 and 6.1.0 through 6.1.2 and 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5.1.3 allows attacker to execute unauthorized code or commands via api request.
|
|||||
| CVE-2025-24474 | 1 Fortinet | 4 Fortianalyzer, Fortianalyzer Cloud, Fortimanager and 1 more | 2025-07-22 | N/A | 2.7 LOW |
|
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all ve ...
Show More |
|||||
| CVE-2025-24471 | 1 Fortinet | 2 Fortios, Fortisase | 2025-07-22 | N/A | 6.5 MEDIUM |
|
An Improper Certificate Validation vulnerability [CWE-295] in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate.
|
|||||
| CVE-2025-25250 | 1 Fortinet | 2 Fortios, Fortisase | 2025-07-22 | N/A | 4.3 MEDIUM |
|
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS version 7.6.0, version 7.4.7 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions SSL-VPN web-mode may allow an authenticated user to access full SSL-VPN settings via crafted URL.
|
|||||
| CVE-2024-52965 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-07-22 | N/A | 7.2 HIGH |
|
A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.
|
|||||
| CVE-2024-32124 | 1 Fortinet | 1 Fortiisolator | 2025-07-22 | N/A | 4.3 MEDIUM |
|
An improper access control vulnerability [CWE-284] in FortiIsolator version 2.4.4, version 2.4.3, 2.3 all versions logging component may allow a remote authenticated read-only attacker to alter logs via a crafted HTTP request.
|
|||||
| CVE-2024-27779 | 1 Fortinet | 2 Fortiisolator, Fortisandbox | 2025-07-22 | N/A | 6.7 MEDIUM |
|
An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted.
|
|||||