Vulnerabilities > Fortinet

DATE CVE VULNERABILITY TITLE RISK
2023-04-11 CVE-2022-27485 SQL Injection vulnerability in Fortinet Fortisandbox
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.
network
low complexity
fortinet CWE-89
6.5
2023-04-11 CVE-2022-27487 Improper Privilege Management vulnerability in Fortinet Fortideceptor and Fortisandbox
A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.
network
low complexity
fortinet CWE-269
8.8
2023-04-11 CVE-2022-35850 Cross-site Scripting vulnerability in Fortinet Fortiauthenticator
An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.
network
low complexity
fortinet CWE-79
6.1
2023-04-11 CVE-2022-40679 OS Command Injection vulnerability in Fortinet Fortiadc, Fortiddos and Fortiddos-F
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC 5.x all versions, 6.0 all versions, 6.1 all versions, 6.2.0 through 6.2.4, 7.0.0 through 7.0.3, 7.1.0; FortiDDoS 4.x all versions, 5.0 all versions, 5.1 all versions, 5.2 all versions, 5.3 all versions, 5.4 all versions, 5.5 all versions, 5.6 all versions and FortiDDoS-F 6.4.0, 6.3.0 through 6.3.3, 6.2.0 through 6.2.2, 6.1.0 through 6.1.4 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
local
low complexity
fortinet CWE-78
7.8
2023-04-11 CVE-2022-40682 Incorrect Authorization vulnerability in Fortinet Forticlient
A incorrect authorization in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.
local
low complexity
fortinet CWE-863
7.8
2023-04-11 CVE-2022-41331 Missing Authentication for Critical Function vulnerability in Fortinet Fortiproxy
A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authentication requests.
network
low complexity
fortinet CWE-306
critical
9.8
2023-04-11 CVE-2022-42469 Unspecified vulnerability in Fortinet Fortios
A permissive list of allowed inputs vulnerability [CWE-183] in FortiGate version 7.2.3 and below, version 7.0.9 and below Policy-based NGFW Mode may allow an authenticated SSL-VPN user to bypass the policy via bookmarks in the web portal.
network
low complexity
fortinet
4.3
2023-04-11 CVE-2022-42470 Path Traversal vulnerability in Fortinet Forticlient
A relative path traversal vulnerability in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe.
local
low complexity
fortinet CWE-22
7.8
2023-04-11 CVE-2022-42477 Improper Input Validation vulnerability in Fortinet Fortianalyzer
An improper input validation vulnerability [CWE-20] in FortiAnalyzer version 7.2.1 and below, version 7.0.6 and below, 6.4 all versions may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.
local
low complexity
fortinet CWE-20
5.5
2023-04-11 CVE-2022-43946 Incorrect Permission Assignment for Critical Resource vulnerability in Fortinet Forticlient
Multiple vulnerabilities including an incorrect permission assignment for critical resource [CWE-732] vulnerability and a time-of-check time-of-use (TOCTOU) race condition [CWE-367] vulnerability in Fortinet FortiClientWindows before 7.0.7 allows attackers on the same file sharing network to execute commands via writing data into a windows pipe.
network
high complexity
fortinet CWE-732
8.1