Vulnerabilities > Fortinet > Fortios > 7.0.8
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-10 | CVE-2023-37935 | Unspecified vulnerability in Fortinet Fortios A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 and 7.4.0 allows an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services. | 7.5 |
| 2023-10-10 | CVE-2023-41675 | Use After Free vulnerability in Fortinet Fortios and Fortiproxy A use after free vulnerability [CWE-416] in FortiOS version 7.2.0 through 7.2.4 and version 7.0.0 through 7.0.10 and FortiProxy version 7.2.0 through 7.2.2 and version 7.0.0 through 7.0.8 may allow an unauthenticated remote attacker to crash the WAD process via multiple crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. | 5.3 |
| 2023-10-10 | CVE-2023-41841 | Unspecified vulnerability in Fortinet Fortios An improper authorization vulnerability in Fortinet FortiOS 7.0.0 - 7.0.11 and 7.2.0 - 7.2.4 allows an attacker belonging to the prof-admin profile to perform elevated actions. | 8.8 |
| 2023-09-13 | CVE-2023-29183 | Cross-site Scripting vulnerability in Fortinet Fortios and Fortiproxy An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiProxy 7.2.0 through 7.2.4, 7.0.0 through 7.0.10 and FortiOS 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14 GUI may allow an authenticated attacker to trigger malicious JavaScript code execution via crafted guest management setting. | 5.4 |
| 2023-07-26 | CVE-2023-33308 | Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy version 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 allows a remote unauthenticated attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside deep or full packet inspection. | 9.8 |
| 2023-07-11 | CVE-2023-28001 | Insufficient Session Expiration vulnerability in Fortinet Fortios An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API. | 9.8 |
| 2023-06-16 | CVE-2023-33306 | NULL Pointer Dereference vulnerability in Fortinet Fortios and Fortiproxy A null pointer dereference in Fortinet FortiOS before 7.2.5, before 7.0.11 and before 6.4.13, FortiProxy before 7.2.4 and before 7.0.10 allows attacker to denial of sslvpn service via specifically crafted request in bookmark parameter. | 6.5 |
| 2023-06-16 | CVE-2023-33307 | NULL Pointer Dereference vulnerability in Fortinet Fortios and Fortiproxy A null pointer dereference in Fortinet FortiOS before 7.2.5 and before 7.0.11, FortiProxy before 7.2.3 and before 7.0.9 allows attacker to denial of sslvpn service via specifically crafted request in network parameter. | 6.5 |
| 2023-06-13 | CVE-2022-41327 | Cleartext Transmission of Sensitive Information vulnerability in Fortinet Fortios and Fortiproxy A cleartext transmission of sensitive information vulnerability [CWE-319] in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.8, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.8 allows an authenticated attacker with readonly superadmin privileges to intercept traffic in order to obtain other adminstrators cookies via diagnose CLI commands. | 4.4 |
| 2023-06-13 | CVE-2022-42474 | Path Traversal vulnerability in Fortinet Fortiproxy and Fortiswitchmanager A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests. | 2.7 |