Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-11-02 CVE-2020-12814 Cross-site Scripting vulnerability in Fortinet Fortianalyzer
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.
network
low complexity
fortinet CWE-79
5.4
2021-11-02 CVE-2020-15940 Cross-site Scripting vulnerability in Fortinet Forticlient Enterprise Management Server
An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server.
network
low complexity
fortinet CWE-79
5.4
2021-11-02 CVE-2021-26107 Unspecified vulnerability in Fortinet Fortimanager 6.4.4/6.4.5
An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.
network
low complexity
fortinet
4.3
2021-11-02 CVE-2021-32595 Resource Exhaustion vulnerability in Fortinet Fortiportal
Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.
network
low complexity
fortinet CWE-400
6.5
2021-11-02 CVE-2021-41019 Improper Certificate Validation vulnerability in Fortinet Fortios
An improper validation of certificate with host mismatch [CWE-297] vulnerability in FortiOS versions 6.4.6 and below may allow the connection to a malicious LDAP server via options in GUI, leading to disclosure of sensitive information, such as AD credentials.
network
low complexity
fortinet CWE-295
6.5
2021-10-06 CVE-2020-15941 Path Traversal vulnerability in Fortinet Forticlient Endpoint Management Server
A path traversal vulnerability [CWE-22] in FortiClientEMS versions 6.4.1 and below; 6.2.8 and below may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.
network
low complexity
fortinet CWE-22
5.4
2021-10-06 CVE-2021-24021 Cross-site Scripting vulnerability in Fortinet Fortianalyzer
An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks.
network
low complexity
fortinet CWE-79
5.4
2021-10-06 CVE-2021-36175 Cross-site Scripting vulnerability in Fortinet Fortiweb
An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.
network
low complexity
fortinet CWE-79
5.4
2021-10-06 CVE-2021-36178 Insufficiently Protected Credentials vulnerability in Fortinet Fortisdnconnector
A insufficiently protected credentials in Fortinet FortiSDNConnector version 1.1.7 and below allows attacker to disclose third-party devices credential information via configuration page lookup.
network
low complexity
fortinet CWE-522
6.5
2021-09-30 CVE-2021-24016 Improper Neutralization of Formula Elements in a CSV File vulnerability in Fortinet Fortimanager
An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.
local
high complexity
fortinet CWE-1236
6.3