Vulnerabilities > Fortinet > Fortiweb > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-02-16 CVE-2023-23778 Path Traversal vulnerability in Fortinet Fortiweb
A relative path traversal vulnerability [CWE-23] in FortiWeb version 7.0.1 and below, 6.4 all versions, 6.3 all versions, 6.2 all versions may allow an authenticated user to obtain unauthorized access to files and data via specifically crafted web requests.
network
low complexity
fortinet CWE-22
6.5
2023-02-16 CVE-2023-23784 Path Traversal vulnerability in Fortinet Fortiweb
A relative path traversal in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to information disclosure via specially crafted web requests.
network
low complexity
fortinet CWE-22
6.5
2023-01-03 CVE-2022-42471 Injection vulnerability in Fortinet Fortiweb
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers.
network
low complexity
fortinet CWE-74
5.4
2022-04-06 CVE-2021-41026 Path Traversal vulnerability in Fortinet Fortiweb
A relative path traversal in FortiWeb versions 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.
network
low complexity
fortinet CWE-22
6.5
2021-12-08 CVE-2021-36188 Cross-site Scripting vulnerability in Fortinet Fortiweb
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted GET parameters in requests to login and error handlers
network
low complexity
fortinet CWE-79
6.1
2021-12-08 CVE-2021-41013 Incorrect Authorization vulnerability in Fortinet Fortiweb
An improper access control vulnerability [CWE-284] in FortiWeb versions 6.4.1 and below and 6.3.15 and below in the Report Browse section of Log & Report may allow an unauthorized and unauthenticated user to access the Log reports via their URLs.
network
low complexity
fortinet CWE-863
5.3
2021-12-08 CVE-2021-36190 Unspecified vulnerability in Fortinet Fortiweb
A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests.
network
low complexity
fortinet
6.3
2021-12-08 CVE-2021-43063 Cross-site Scripting vulnerability in Fortinet Fortiweb
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage.
network
low complexity
fortinet CWE-79
6.1
2021-12-08 CVE-2021-36191 Open Redirect vulnerability in Fortinet Fortiweb
A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers
network
low complexity
fortinet CWE-601
5.4
2021-12-08 CVE-2021-41015 Cross-site Scripting vulnerability in Fortinet Fortiweb 6.4.0/6.4.1
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handler
network
low complexity
fortinet CWE-79
6.1