Vulnerabilities > Fortinet > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-06 | CVE-2022-38379 | Cross-site Scripting vulnerability in Fortinet Fortisoar Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR. | 5.4 |
2022-12-06 | CVE-2022-40680 | Cross-site Scripting vulnerability in Fortinet Fortios A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages. | 5.4 |
2022-11-02 | CVE-2022-33878 | Information Exposure vulnerability in Fortinet Forticlient An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac versions 7.0.0 through 7.0.5 may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal. | 5.5 |
2022-11-02 | CVE-2022-35851 | Cross-site Scripting vulnerability in Fortinet Fortiadc 7.1.0 An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface 7.1.0 may allow a remote and authenticated attacker to trigger a stored cross site scripting (XSS) attack via configuring a specially crafted IP Address. | 5.4 |
2022-11-02 | CVE-2022-38372 | Unspecified vulnerability in Fortinet Fortitester A hidden functionality vulnerability [CWE-1242] in FortiTester CLI 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow a local, privileged user to obtain a root shell on the device via an undocumented command. | 6.7 |
2022-11-02 | CVE-2022-38373 | Cross-site Scripting vulnerability in Fortinet Fortideceptor An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID. | 5.4 |
2022-11-02 | CVE-2022-38374 | Cross-site Scripting vulnerability in Fortinet Fortiadc A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews. | 6.1 |
2022-11-02 | CVE-2022-38380 | Unspecified vulnerability in Fortinet Fortios 7.0.3/7.2.0 An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API. | 4.3 |
2022-11-02 | CVE-2022-39945 | Authorization Bypass Through User-Controlled Key vulnerability in Fortinet Fortimail An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR). | 6.5 |
2022-11-02 | CVE-2022-39949 | Unspecified vulnerability in Fortinet Fortiedr An improper control of a resource through its lifetime vulnerability [CWE-664] in FortiEDR CollectorWindows 4.0.0 through 4.1, 5.0.0 through 5.0.3.751, 5.1.0 may allow a privileged user to terminate the FortiEDR processes with special tools and bypass the EDR protection. | 5.5 |