Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-10-24 CVE-2019-6692 Uncontrolled Search Path Element vulnerability in Fortinet Forticlient
A malicious DLL preload vulnerability in Fortinet FortiClient for Windows 6.2.0 and below allows a privileged attacker to perform arbitrary code execution via forging that DLL. 		4.4
4.4
2019-08-28 CVE-2019-5590 Cross-site Scripting vulnerability in Fortinet Fortiweb
The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form.
network
fortinet CWE-79
4.3
4.3
2019-08-23 CVE-2019-5594 Cross-site Scripting vulnerability in Fortinet Fortinac 8.3.0/8.3.6/8.5.0
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
network
fortinet CWE-79
4.3
4.3
2019-08-23 CVE-2018-13367 Information Exposure vulnerability in Fortinet Fortios
An information exposure vulnerability in FortiOS 6.2.3, 6.2.0 and below may allow an unauthenticated attacker to gain platform information such as version, models, via parsing a JavaScript file through admin webUI.
network
low complexity
fortinet CWE-200
5.0
5.0
2019-08-23 CVE-2019-5592 Improper Verification of Cryptographic Signature vulnerability in Fortinet Fortios IPS Engine
Multiple padding oracle vulnerabilities (Zombie POODLE, GOLDENDOODLE, OpenSSL 0-length) in the CBC padding implementation of FortiOS IPS engine version 5.000 to 5.006, 4.000 to 4.036, 4.200 to 4.219, 3.547 and below, when configured with SSL Deep Inspection policies and with the IPS sensor enabled, may allow an attacker to decipher TLS connections going through the FortiGate via monitoring the traffic in a Man-in-the-middle position.
network
fortinet CWE-347
4.3
4.3
2019-07-08 CVE-2019-13402 Improper Cross-boundary Removal of Sensitive Data vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0
/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process.
network
low complexity
fortinet CWE-212
6.5
6.5
2019-07-08 CVE-2019-13401 Cross-Site Request Forgery (CSRF) vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/.
network
fortinet CWE-352
6.8
6.8
2019-07-08 CVE-2019-13400 Insufficiently Protected Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext.
network
low complexity
fortinet CWE-522
5.0
5.0
2019-07-08 CVE-2019-13399 Use of Hard-coded Credentials vulnerability in Fortinet Fcm-Mb40 Firmware 1.2.0.0
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.
network
fortinet CWE-798
4.3
4.3
2019-06-04 CVE-2019-5588 Cross-site Scripting vulnerability in Fortinet Fortios
A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "err" parameter of the error process HTTP requests.
network
fortinet CWE-79
4.3
4.3