Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2025-01-14 CVE-2024-48890 OS Command Injection vulnerability in Fortinet Fortisoar Imap Connector 3.5.6/3.5.7
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted playbook
network
low complexity
fortinet CWE-78
8.8
2025-01-14 CVE-2024-48893 Cross-site Scripting vulnerability in Fortinet Fortisoar
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook.
network
low complexity
fortinet CWE-79
5.4
2025-01-14 CVE-2024-50564 Use of Hard-coded Credentials vulnerability in Fortinet Forticlient
A use of hard-coded cryptographic key in Fortinet FortiClientWindows version 7.4.0, 7.2.x all versions, 7.0.x all versions, and 6.4.x all versions may allow a low-privileged user to decrypt interprocess communication via monitoring named piped.
local
low complexity
fortinet CWE-798
3.3
2025-01-14 CVE-2024-50566 OS Command Injection vulnerability in Fortinet Fortimanager and Fortimanager Cloud
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiManager versions 7.6.0 through 7.6.1, versions 7.4.5 through 7.4.0, and versions 7.2.1 through 7.2.8, FortiManager Cloud versions 7.6.0 through 7.6.1, versions 7.4.0 through 7.4.4, and versions 7.2.2 through 7.2.7 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests.
network
low complexity
fortinet CWE-78
8.8
2025-01-14 CVE-2024-52963 Out-of-bounds Write vulnerability in Fortinet Fortios
A out-of-bounds write in Fortinet FortiOS versions 7.6.0, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4.0 through 6.4.15 allows attacker to trigger a denial of service via specially crafted packets.
network
high complexity
fortinet CWE-787
5.9
2025-01-14 CVE-2024-52967 Cross-site Scripting vulnerability in Fortinet Fortiportal
An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection.
network
low complexity
fortinet CWE-79
4.8
2025-01-14 CVE-2024-52969 SQL Injection vulnerability in Fortinet Fortisiem
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSIEM ersion 7.1.7 and below, version 7.1.0, version 7.0.3 and below, version 6.7.9 and below, 6.7.8, version 6.6.5 and below, version 6.5.3 and below, version 6.4.4 and below Update/Create Case feature may allow an authenticated attacker to extract database information via crafted requests.
network
low complexity
fortinet CWE-89
6.5
2025-01-14 CVE-2024-54021 Interpretation Conflict vulnerability in Fortinet Fortios and Fortiproxy
An improper neutralization of crlf sequences in http headers ('http response splitting') in Fortinet FortiOS 7.2.0 through 7.6.0, FortiProxy 7.2.0 through 7.4.5 allows attacker to execute unauthorized code or commands via crafted HTTP header.
network
low complexity
fortinet CWE-436
critical
9.8
2025-01-14 CVE-2024-55591 Unspecified vulnerability in Fortinet Fortios and Fortiproxy
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
network
low complexity
fortinet
critical
9.8
2025-01-14 CVE-2024-55593 SQL Injection vulnerability in Fortinet Fortiweb
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries
network
low complexity
fortinet CWE-89
2.7