Vulnerabilities > Fortinet > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-41679 Unspecified vulnerability in Fortinet Fortimanager
An improper access control vulnerability [CWE-284] in FortiManager management interface 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions may allow a remote and authenticated attacker with at least "device management" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMs
network
low complexity
fortinet
critical
9.6
2023-07-26 CVE-2023-33308 Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy
A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy version 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 allows a remote unauthenticated attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside deep or full packet inspection.
network
low complexity
fortinet CWE-787
critical
9.8
2023-07-11 CVE-2023-28001 Insufficient Session Expiration vulnerability in Fortinet Fortios
An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute unauthorized code or commands via reusing the session of a deleted user in the REST API.
network
low complexity
fortinet CWE-613
critical
9.8
2023-06-23 CVE-2023-33299 Deserialization of Untrusted Data vulnerability in Fortinet Fortinac
A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, below 9.4.3, below 9.2.8 and all earlier versions of 8.x allows attacker to execute unauthorized code or commands via specifically crafted request on inter-server communication port.
network
low complexity
fortinet CWE-502
critical
9.8
2023-06-13 CVE-2023-26204 Insufficiently Protected Credentials vulnerability in Fortinet Fortisiem
A plaintext storage of a password vulnerability [CWE-256] in FortiSIEM 6.7 all versions, 6.6 all versions, 6.5 all versions, 6.4 all versions, 6.3 all versions, 6.2 all versions, 6.1 all versions, 5.4 all versions, 5.3 all versions may allow an attacker able to access user DB content to impersonate any admin user on the device GUI.
network
low complexity
fortinet CWE-522
critical
9.8
2023-06-13 CVE-2023-27997 Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
network
low complexity
fortinet CWE-787
critical
9.8
2023-05-03 CVE-2023-22637 Cross-site Scripting vulnerability in Fortinet Fortinac and Fortinac-F
An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in License Management would permit an authenticated attacker to trigger remote code execution via crafted licenses.
network
low complexity
fortinet CWE-79
critical
9.0
2023-04-11 CVE-2022-41331 Missing Authentication for Critical Function vulnerability in Fortinet Fortiproxy
A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authentication requests.
network
low complexity
fortinet CWE-306
critical
9.8
2023-02-16 CVE-2021-42756 Out-of-bounds Write vulnerability in Fortinet Fortiweb
Multiple stack-based buffer overflow vulnerabilities [CWE-121] in the proxy daemon of FortiWeb 5.x all versions, 6.0.7 and below, 6.1.2 and below, 6.2.6 and below, 6.3.16 and below, 6.4 all versions may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests.
network
low complexity
fortinet CWE-787
critical
9.8
2023-02-16 CVE-2021-42761 Session Fixation vulnerability in Fortinet Fortiweb
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
network
low complexity
fortinet CWE-384
critical
9.8