Vulnerabilities > Fortinet > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-04 | CVE-2015-3612 | Cross-site Scripting vulnerability in Fortinet Fortimanager A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page. | 5.4 |
| 2020-01-28 | CVE-2019-17651 | Cross-site Scripting vulnerability in Fortinet Fortisiem An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule. | 5.4 |
| 2020-01-23 | CVE-2019-15707 | Unspecified vulnerability in Fortinet Fortimail An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to perform system backup config download they should not be authorized for. | 4.9 |
| 2020-01-23 | CVE-2019-5593 | Improper Handling of Exceptional Conditions vulnerability in Fortinet Fortios Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below. | 5.5 |
| 2020-01-07 | CVE-2019-6700 | Insufficiently Protected Credentials vulnerability in Fortinet Fortisiem An information exposure vulnerability in the external authentication profile form of FortiSIEM 5.2.2 and earlier may allow an authenticated attacker to retrieve the external authentication password via the HTML source code. | 6.5 |
| 2020-01-07 | CVE-2019-16154 | Cross-site Scripting vulnerability in Fortinet Fortiauthenticator 6.0.0 An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page. | 6.1 |
| 2019-11-21 | CVE-2019-6693 | Use of Hard-coded Credentials vulnerability in Fortinet Fortios Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. | 6.5 |
| 2019-11-21 | CVE-2019-15704 | Missing Encryption of Sensitive Data vulnerability in Fortinet Forticlient A clear text storage of sensitive information vulnerability in FortiClient for Mac may allow a local attacker to read sensitive information logged in the console window when the user connects to an SSL VPN Gateway. | 5.5 |
| 2019-11-21 | CVE-2018-9195 | Use of Hard-coded Credentials vulnerability in Fortinet Fortios Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. | 5.9 |
| 2019-08-28 | CVE-2019-5590 | Cross-site Scripting vulnerability in Fortinet Fortiweb The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form. | 6.1 |