A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.Reports have...
Read MoreAn exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other...
Read MoreAn improper certificate validation vulnerability [CWE-295] in FortiClientWindows, FortiClientLinux and FortiClientMac may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication...
Read MoreAn improper access control vulnerability [CWE-284] in FortiEDR Manager API may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to...
Read MoreAn insufficient session expiration vulnerability [CWE-613] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required...
Read MoreAn unverified password change vulnerability [CWE-620] in FortiManager or FortiAnalyzer may allow a read-write user to modify admin passwords via the device configuration backup.
Read MoreA fundamental design flaw within the RADIUS protocol has been proven to be exploitable, compromising the integrity in the RADIUS Access-Request process. The attack allows a malicious user to modify packets in a way that would be...
Read MoreAn improper access control vulnerability [CWE-284] in FortiOS may allow an attacker who has already successfully obtained write access to the underlying system (via another hypothetical exploit) to bypass the file integrity...
Read MoreAn improper neutralization of special elements [CWE-89] used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiDDoS & FortiDDoS-F may allow an authenticated attacker to execute shell code...
Read MoreAn improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR may allow a remote authenticated attacker to perform a stored cross site scripting (XSS) attack via the Communications...
Read MoreAn improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS and FortiProxy’s web SSL VPN UI may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via...
Read MoreAn improper access control vulnerability [CWE-284] in FortiExtender authentication component may allow a remote authenticated attacker to create users with elevated privileges via a crafted HTTP request.
Read More