Vulnerabilities > Fortinet > Fortianalyzer > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-03-12 CVE-2023-41842 Use of Externally-Controlled Format String vulnerability in Fortinet products
A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiManager version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.3 and before 7.0.10, Fortinet FortiAnalyzer-BigData before 7.2.5 and Fortinet FortiPortal version 6.0 all versions and version 5.3 all versions allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.
local
low complexity
fortinet CWE-134
6.7
2024-02-15 CVE-2023-44253 Unspecified vulnerability in Fortinet Fortianalyzer and Fortimanager
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiManager version 7.4.0 through 7.4.1 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.1 and before 7.2.5 and FortiAnalyzer-BigData before 7.2.5 allows an adom administrator to enumerate other adoms and device names via crafted HTTP or HTTPS requests.
network
low complexity
fortinet
5.0
2023-11-14 CVE-2023-40719 Use of Hard-coded Credentials vulnerability in Fortinet Fortianalyzer and Fortimanager
A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials.
local
low complexity
fortinet CWE-798
5.5
2023-10-20 CVE-2023-44256 Server-Side Request Forgery (SSRF) vulnerability in Fortinet Fortianalyzer and Fortimanager
A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 allows a remote attacker with low privileges to view sensitive data from internal servers or perform a local port scan via a crafted HTTP request.
network
low complexity
fortinet CWE-918
6.5
2023-10-10 CVE-2023-42782 Insufficient Verification of Data Authenticity vulnerability in Fortinet Fortianalyzer
A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer version 7.4.0 and below 7.2.3 allows a remote unauthenticated attacker to send messages to the syslog server of FortiAnalyzer via the knoweldge of an authorized device serial number.
network
low complexity
fortinet CWE-345
5.3
2023-10-10 CVE-2023-42787 Unspecified vulnerability in Fortinet Fortianalyzer and Fortimanager
A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 may allow a remote attacker with low privileges to access a privileged web console via client side code execution.
network
low complexity
fortinet
6.5
2023-10-10 CVE-2023-42788 OS Command Injection vulnerability in Fortinet Fortianalyzer and Fortimanager
An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in FortiManager & FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.8, version 6.4.0 through 6.4.12 and version 6.2.0 through 6.2.11 may allow a local attacker with low privileges to execute unauthorized code via specifically crafted arguments to a CLI command
local
low complexity
fortinet CWE-78
6.7
2023-10-10 CVE-2023-44249 Authorization Bypass Through User-Controlled Key vulnerability in Fortinet Fortianalyzer and Fortimanager
An authorization bypass through user-controlled key [CWE-639] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 allows a remote attacker with low privileges to read sensitive information via crafted HTTP requests.
network
low complexity
fortinet CWE-639
6.5
2023-09-13 CVE-2023-36638 Unspecified vulnerability in Fortinet Fortianalyzer and Fortimanager
An improper privilege management vulnerability [CWE-269] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.
network
low complexity
fortinet
4.3
2023-09-01 CVE-2022-22305 Improper Certificate Validation vulnerability in Fortinet products
An improper certificate validation vulnerability [CWE-295] in FortiManager 7.0.1 and below, 6.4.6 and below; FortiAnalyzer 7.0.2 and below, 6.4.7 and below; FortiOS 6.2.x and 6.0.x; FortiSandbox 4.0.x, 3.2.x and 3.1.x may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
high complexity
fortinet CWE-295
4.2