Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-08-03 CVE-2022-27484 Improper Authentication vulnerability in Fortinet Fortiadc
A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x allows an authenticated attacker to bypass the Old Password check in the password change form via a crafted HTTP request.
network
low complexity
fortinet CWE-287
4.3
2022-07-19 CVE-2022-29057 Cross-site Scripting vulnerability in Fortinet Fortiedr
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints.
network
low complexity
fortinet CWE-79
5.4
2022-07-19 CVE-2022-30301 Path Traversal vulnerability in Fortinet Fortiap-U
A path traversal vulnerability [CWE-22] in FortiAP-U CLI 6.2.0 through 6.2.3, 6.0.0 through 6.0.4, 5.4.0 through 5.4.6 may allow an admin user to delete and access unauthorized files and data via specifically crafted CLI commands.
local
low complexity
fortinet CWE-22
6.7
2022-07-18 CVE-2021-22131 Improper Certificate Validation vulnerability in Fortinet Fortitoken Mobile
A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks.
high complexity
fortinet CWE-295
5.4
2022-07-18 CVE-2022-23438 Cross-site Scripting vulnerability in Fortinet Fortios
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in FortiOS version 7.0.5 and prior and 6.4.9 and prior may allow an unauthenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the captive portal authentication replacement page.
network
low complexity
fortinet CWE-79
6.1
2022-07-18 CVE-2022-26118 Improper Privilege Management vulnerability in Fortinet Fortianalyzer and Fortimanager
A privilege chaining vulnerability [CWE-268] in FortiManager and FortiAnalyzer 6.0.x, 6.2.x, 6.4.0 through 6.4.7, 7.0.0 through 7.0.3 may allow a local and authenticated attacker with a restricted shell to escalate their privileges to root due to incorrect permissions of some folders and executable files on the system.
local
low complexity
fortinet CWE-269
6.7
2022-07-18 CVE-2021-42755 Integer Overflow or Wraparound vulnerability in Fortinet products
An integer overflow / wraparound vulnerability [CWE-190] in FortiSwitch 7.0.2 and below, 6.4.9 and below, 6.2.x, 6.0.x; FortiRecorder 6.4.2 and below, 6.0.10 and below; FortiOS 7.0.2 and below, 6.4.8 and below, 6.2.10 and below, 6.0.x; FortiProxy 7.0.0, 2.0.6 and below, 1.2.x, 1.1.x, 1.0.x; FortiVoiceEnterprise 6.4.3 and below, 6.0.10 and below dhcpd daemon may allow an unauthenticated and network adjacent attacker to crash the dhcpd deamon, resulting in potential denial of service.
low complexity
fortinet CWE-190
4.3
2022-07-18 CVE-2021-44170 Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy
A stack-based buffer overflow vulnerability [CWE-121] in the command line interpreter of FortiOS before 7.0.4 and FortiProxy before 2.0.8 may allow an authenticated attacker to execute unauthorized code or commands via specially crafted command line arguments.
local
low complexity
fortinet CWE-787
6.7
2022-07-18 CVE-2022-22304 Cross-site Scripting vulnerability in Fortinet Fortiauthenticator Agent for Microsoft Outlook web Access 2.1/2.2
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAuthenticator OWA Agent for Microsoft version 2.2 and 2.1 may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.
network
low complexity
fortinet CWE-79
6.1
2022-05-24 CVE-2022-22306 Improper Certificate Validation vulnerability in Fortinet Fortios
An improper certificate validation vulnerability [CWE-295] in FortiOS 6.0.0 through 6.0.14, 6.2.0 through 6.2.10, 6.4.0 through 6.4.8, 7.0.0 may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the FortiGate and some peers such as private SDNs and external cloud platforms.
high complexity
fortinet CWE-295
5.3