Vulnerabilities > Fortinet

DATE CVE VULNERABILITY TITLE RISK
2023-02-16 CVE-2022-30300 Path Traversal vulnerability in Fortinet Fortiweb
A relative path traversal vulnerability [CWE-23] in FortiWeb 7.0.0 through 7.0.1, 6.3.6 through 6.3.18, 6.4 all versions may allow an authenticated attacker to obtain unauthorized access to files and data via specifically crafted HTTP GET requests.
network
low complexity
fortinet CWE-22
6.5
2023-02-16 CVE-2022-30303 OS Command Injection vulnerability in Fortinet Fortiweb
An improper neutralization of special elements used in an os command ('OS Command Injection') [CWE-78] in FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions may allow an authenticated attacker to execute arbitrary shell code as `root` user via crafted HTTP requests.
network
low complexity
fortinet CWE-78
8.8
2023-02-16 CVE-2022-30304 Cross-site Scripting vulnerability in Fortinet Fortianalyzer
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAnalyzer versions prior to 7.2.1, 7.0.4 and 6.4.8 may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer.
network
low complexity
fortinet CWE-79
6.1
2023-02-16 CVE-2022-30306 Out-of-bounds Write vulnerability in Fortinet Fortiweb
A stack-based buffer overflow vulnerability [CWE-121] in the CA sign functionality of FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.19 and below may allow an authenticated attacker to achieve arbitrary code execution via specifically crafted password.
network
low complexity
fortinet CWE-787
8.8
2023-02-16 CVE-2022-33869 OS Command Injection vulnerability in Fortinet Fortiwan
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the management interface of FortiWAN 4.0.0 through 4.5.9 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
network
low complexity
fortinet CWE-78
8.8
2023-02-16 CVE-2022-33871 Out-of-bounds Write vulnerability in Fortinet Fortiweb
A stack-based buffer overflow vulnerability [CWE-121] in FortiWeb version 7.0.1 and earlier, 6.4 all versions, version 6.3.19 and earlier may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI `execute backup-local rename` and `execute backup-local show` operations.
network
low complexity
fortinet CWE-787
7.2
2023-02-16 CVE-2022-38375 Unspecified vulnerability in Fortinet Fortinac and Fortinac-F
An improper authorization vulnerability [CWE-285]  in Fortinet FortiNAC version 9.4.0 through 9.4.1 and before 9.2.6 allows an unauthenticated user to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests.
network
low complexity
fortinet
critical
9.8
2023-02-16 CVE-2022-38376 Cross-site Scripting vulnerability in Fortinet Fortinac
Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerabilities [CWE-79] in Fortinet FortiNAC portal UI before 9.4.1 allows an attacker to perform an XSS attack via crafted HTTP requests.
network
low complexity
fortinet CWE-79
6.1
2023-02-16 CVE-2022-38378 Improper Privilege Management vulnerability in Fortinet Fortios and Fortiproxy
An improper privilege management vulnerability [CWE-269] in Fortinet FortiOS version 7.2.0 and before 7.0.7 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an attacker that has access to the admin profile section (System subsection Administrator Users) to modify their own profile and upgrade their privileges to Read Write via CLI or GUI commands.
local
low complexity
fortinet CWE-269
6.0
2023-02-16 CVE-2022-39948 Improper Certificate Validation vulnerability in Fortinet Fortios and Fortiproxy
An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)
network
high complexity
fortinet CWE-295
7.4