Vulnerabilities > Fortinet

DATE CVE VULNERABILITY TITLE RISK
2018-05-25 CVE-2017-14185 Information Exposure vulnerability in Fortinet Fortios
An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8 and 5.2 all versions allows SSL VPN web portal users to access internal FortiOS configuration information (eg:addresses) via specifically crafted URLs inside the SSL-VPN web portal.
network
low complexity
fortinet CWE-200
5.3
5.3
2018-05-24 CVE-2017-14187 Improper Privilege Management vulnerability in Fortinet Fortios
A local privilege escalation and local code execution vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.8, and 5.2 and below versions allows attacker to execute unauthorized binary program contained on an USB drive plugged into a FortiGate via linking the aforementioned binary program to a command that is allowed to be run by the fnsysctl CLI command.
low complexity
fortinet CWE-269
6.2
6.2
2018-05-08 CVE-2017-17540 Use of Hard-coded Credentials vulnerability in Fortinet Fortiwlc
The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows attackers to gain unauthorized read/write access via a remote shell.
network
low complexity
fortinet CWE-798
critical
 9.8
9.8
2018-05-08 CVE-2017-17539 Use of Hard-coded Credentials vulnerability in Fortinet Fortiwlc
The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and earlier allows attackers to gain unauthorized read/write access via a remote shell.
network
low complexity
fortinet CWE-798
critical
 9.8
9.8
2018-04-26 CVE-2017-17543 Inadequate Encryption Strength vulnerability in Fortinet Forticlient
Users' VPN authentication credentials are unsafely encrypted in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2335 and below versions, due to the use of a static encryption key and weak encryption algorithms.
network
low complexity
fortinet CWE-326
7.5
7.5
2018-03-20 CVE-2017-14191 Unspecified vulnerability in Fortinet Fortiweb
An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up to but not including 6.1.0 under "Signed Security Mode", allows attacker to bypass the signed user cookie protection by removing the FortiWeb own protection session cookie.
network
high complexity
fortinet
5.9
5.9
2018-02-09 CVE-2012-6347 Cross-site Scripting vulnerability in Fortinet Fortidb 4.4.1
Multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling in FortiGate FortiDB before 4.4.2 allow remote attackers to inject arbitrary web script or HTML via the conversationContext parameter to (1) admin/auditTrail.jsf, (2) mapolicymgmt/targetsMonitorView.jsf, (3) vascan/globalsummary.jsf, (4) vaerrorlog/vaErrorLog.jsf, (5) database/listTargetGroups.jsf, (6) sysconfig/listSystemInfo.jsf, (7) vascan/list.jsf, (8) network/router.jsf, (9) mapolicymgmt/editPolicyProfile.jsf, or (10) mapolicymgmt/maPolicyMasterList.jsf.
network
low complexity
fortinet CWE-79
6.1
6.1
2018-02-09 CVE-2012-6346 Cross-site Scripting vulnerability in Fortinet Fortiweb
Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) redir or (2) mkey parameter to waf/pcre_expression/validate.
network
low complexity
fortinet CWE-79
6.1
6.1
2018-02-08 CVE-2012-0941 Cross-site Scripting vulnerability in Fortinet Fortios
Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules, or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list.
network
low complexity
fortinet CWE-79
6.1
6.1
2018-01-29 CVE-2017-14190 Cross-site Scripting vulnerability in Fortinet Fortios
A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests.
network
low complexity
fortinet CWE-79
6.1
6.1