Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-01-07 CVE-2019-6700 Insufficiently Protected Credentials vulnerability in Fortinet Fortisiem
An information exposure vulnerability in the external authentication profile form of FortiSIEM 5.2.2 and earlier may allow an authenticated attacker to retrieve the external authentication password via the HTML source code.
network
low complexity
fortinet CWE-522
6.5
2020-01-07 CVE-2019-16154 Cross-site Scripting vulnerability in Fortinet Fortiauthenticator 6.0.0
An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page.
network
low complexity
fortinet CWE-79
6.1
2019-11-21 CVE-2019-6693 Use of Hard-coded Credentials vulnerability in Fortinet Fortios
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key.
network
low complexity
fortinet CWE-798
6.5
2019-11-21 CVE-2019-15704 Missing Encryption of Sensitive Data vulnerability in Fortinet Forticlient
A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway.
local
low complexity
fortinet CWE-311
5.5
2019-11-21 CVE-2018-9195 Use of Hard-coded Credentials vulnerability in Fortinet Fortios
Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages.
network
high complexity
fortinet CWE-798
5.9
2019-08-28 CVE-2019-5590 Cross-site Scripting vulnerability in Fortinet Fortiweb
The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form.
network
low complexity
fortinet CWE-79
6.1
2019-08-23 CVE-2019-5594 Cross-site Scripting vulnerability in Fortinet Fortinac 8.3.0/8.3.6/8.5.0
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
network
low complexity
fortinet CWE-79
6.1
2019-08-23 CVE-2018-13367 Information Exposure vulnerability in Fortinet Fortios
An information exposure vulnerability in FortiOS 6.2.3, 6.2.0 and below may allow an unauthenticated attacker to gain platform information such as version, models, via parsing a JavaScript file through admin webUI.
network
low complexity
fortinet CWE-200
5.3
2019-08-23 CVE-2019-5592 Improper Verification of Cryptographic Signature vulnerability in Fortinet Fortios IPS Engine
Multiple padding oracle vulnerabilities (Zombie POODLE, GOLDENDOODLE, OpenSSL 0-length) in the CBC padding implementation of FortiOS IPS engine version 5.000 to 5.006, 4.000 to 4.036, 4.200 to 4.219, 3.547 and below, when configured with SSL Deep Inspection policies and with the IPS sensor enabled, may allow an attacker to decipher TLS connections going through the FortiGate via monitoring the traffic in a Man-in-the-middle position.
network
high complexity
fortinet CWE-347
5.9
2019-07-08 CVE-2019-13399 Use of Hard-coded Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.
network
high complexity
fortinet CWE-798
5.9