Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-09-30 CVE-2021-24017 Improper Authentication vulnerability in Fortinet Fortimanager
An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.
network
low complexity
fortinet CWE-287
4.3
2021-09-08 CVE-2020-29012 Insufficient Session Expiration vulnerability in Fortinet Fortisandbox
An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
network
low complexity
fortinet CWE-613
5.3
2021-09-06 CVE-2020-15939 Unspecified vulnerability in Fortinet Fortisandbox
An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.
network
low complexity
fortinet
4.3
2021-08-19 CVE-2021-32602 Cross-site Scripting vulnerability in Fortinet Fortiportal
An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value.
network
low complexity
fortinet CWE-79
6.1
2021-08-06 CVE-2021-32587 Unspecified vulnerability in Fortinet Fortianalyzer and Fortimanager
An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration.
network
low complexity
fortinet
4.3
2021-08-06 CVE-2021-32597 Cross-site Scripting vulnerability in Fortinet Fortianalyzer and Fortimanager
Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.
network
low complexity
fortinet CWE-79
5.4
2021-08-05 CVE-2021-32598 HTTP Request Smuggling vulnerability in Fortinet Fortianalyzer
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting attack which gives attackers control of the remaining headers and body of the response.
network
low complexity
fortinet CWE-444
4.3
2021-08-05 CVE-2021-32603 Server-Side Request Forgery (SSRF) vulnerability in Fortinet Fortianalyzer and Fortimanager
A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafted web requests.
network
low complexity
fortinet CWE-918
6.5
2021-08-04 CVE-2021-24014 Cross-site Scripting vulnerability in Fortinet Fortisandbox
Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters.
network
low complexity
fortinet CWE-79
6.1
2021-08-04 CVE-2021-24010 Path Traversal vulnerability in Fortinet Fortisandbox
Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests.
network
low complexity
fortinet CWE-22
6.5