Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-12-06 CVE-2022-38379 Cross-site Scripting vulnerability in Fortinet Fortisoar
Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR.
network
low complexity
fortinet CWE-79
5.4
2022-12-06 CVE-2022-40680 Cross-site Scripting vulnerability in Fortinet Fortios
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.
network
low complexity
fortinet CWE-79
5.4
2022-11-02 CVE-2022-33878 Information Exposure vulnerability in Fortinet Forticlient
An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac versions 7.0.0 through 7.0.5 may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal.
local
low complexity
fortinet CWE-200
5.5
2022-11-02 CVE-2022-35851 Cross-site Scripting vulnerability in Fortinet Fortiadc 7.1.0
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface 7.1.0 may allow a remote and authenticated attacker to trigger a stored cross site scripting (XSS) attack via configuring a specially crafted IP Address.
network
low complexity
fortinet CWE-79
5.4
2022-11-02 CVE-2022-38372 Unspecified vulnerability in Fortinet Fortitester
A hidden functionality vulnerability [CWE-1242] in FortiTester CLI 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow a local, privileged user to obtain a root shell on the device via an undocumented command.
local
low complexity
fortinet
6.7
2022-11-02 CVE-2022-38373 Cross-site Scripting vulnerability in Fortinet Fortideceptor
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID.
network
low complexity
fortinet CWE-79
5.4
2022-11-02 CVE-2022-38374 Cross-site Scripting vulnerability in Fortinet Fortiadc
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews.
network
low complexity
fortinet CWE-79
6.1
2022-11-02 CVE-2022-38380 Unspecified vulnerability in Fortinet Fortios 7.0.3/7.2.0
An improper access control [CWE-284] vulnerability in FortiOS version 7.2.0 and versions 7.0.0 through 7.0.7 may allow a remote authenticated read-only user to modify the interface settings via the API.
network
low complexity
fortinet
4.3
2022-11-02 CVE-2022-39945 Authorization Bypass Through User-Controlled Key vulnerability in Fortinet Fortimail
An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).
network
low complexity
fortinet CWE-639
6.5
2022-11-02 CVE-2022-39949 Unspecified vulnerability in Fortinet Fortiedr
An improper control of a resource through its lifetime vulnerability [CWE-664] in FortiEDR CollectorWindows 4.0.0 through 4.1, 5.0.0 through 5.0.3.751, 5.1.0 may allow a privileged user to terminate the FortiEDR processes with special tools and bypass the EDR protection.
local
low complexity
fortinet
5.5