Vulnerabilities > Fortinet > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-05-03 CVE-2022-45859 Insufficiently Protected Credentials vulnerability in Fortinet Fortinac and Fortinac-F
An insufficiently protected credentials vulnerability [CWE-522] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions, 8.7.0 all versions may allow a local attacker with system access to retrieve users' passwords.
local
low complexity
fortinet CWE-522
4.4
2023-04-11 CVE-2022-27485 SQL Injection vulnerability in Fortinet Fortisandbox
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.
network
low complexity
fortinet CWE-89
6.5
2023-04-11 CVE-2022-35850 Cross-site Scripting vulnerability in Fortinet Fortiauthenticator
An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.
network
low complexity
fortinet CWE-79
6.1
2023-04-11 CVE-2022-42469 Unspecified vulnerability in Fortinet Fortios
A permissive list of allowed inputs vulnerability [CWE-183] in FortiGate version 7.2.3 and below, version 7.0.9 and below Policy-based NGFW Mode may allow an authenticated SSL-VPN user to bypass the policy via bookmarks in the web portal.
network
low complexity
fortinet
4.3
2023-04-11 CVE-2022-42477 Improper Input Validation vulnerability in Fortinet Fortianalyzer
An improper input validation vulnerability [CWE-20] in FortiAnalyzer version 7.2.1 and below, version 7.0.6 and below, 6.4 all versions may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.
local
low complexity
fortinet CWE-20
5.5
2023-04-11 CVE-2022-43952 Cross-site Scripting vulnerability in Fortinet Fortiadc
An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiADC version 7.1.1 and below, version 7.0.3 and below, version 6.2.5 and below may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
network
low complexity
fortinet CWE-79
5.4
2023-04-11 CVE-2022-43955 Cross-site Scripting vulnerability in Fortinet Fortiweb
An improper neutralization of input during web page generation [CWE-79] in the FortiWeb web interface 7.0.0 through 7.0.3, 6.3.0 through 6.3.21, 6.4 all versions, 6.2 all versions, 6.1 all versions and 6.0 all versions may allow an unauthenticated and remote attacker to perform a reflected cross site scripting attack (XSS) via injecting malicious payload in log entries used to build report.
network
low complexity
fortinet CWE-79
6.1
2023-04-11 CVE-2023-22641 Open Redirect vulnerability in Fortinet Fortios and Fortiproxy
A url redirection to untrusted site ('open redirect') in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS versions 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specially crafted requests.
network
low complexity
fortinet CWE-601
5.4
2023-04-11 CVE-2022-41330 Cross-site Scripting vulnerability in Fortinet Fortios and Fortiproxy
An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9, version 6.4.0 through 6.4.11 and before 6.2.12 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.
network
low complexity
fortinet CWE-79
6.1
2023-03-09 CVE-2022-29056 Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortimail
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
network
low complexity
fortinet CWE-307
5.3