Total
79 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-23782 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 7.8 HIGH |
A heap-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb version 6.3.0 through 6.3.19, FortiWeb 6.4 all versions, FortiWeb 6.2 all versions, FortiWeb 6.1 all versions allows attacker to escalation of privilege via specifically crafted arguments to existing commands. | |||||
CVE-2023-22636 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 3.3 LOW |
An unauthorized configuration download vulnerability in FortiWeb 6.3.6 through 6.3.21, 6.4.0 through 6.4.2 and 7.0.0 through 7.0.4 may allow a local attacker to access confidential configuration files via a crafted http request. | |||||
CVE-2022-33871 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 7.2 HIGH |
A stack-based buffer overflow vulnerability [CWE-121] in FortiWeb version 7.0.1 and earlier, 6.4 all versions, version 6.3.19 and earlier may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI `execute backup-local rename` and `execute backup-local show` operations. | |||||
CVE-2023-25602 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 7.8 HIGH |
A stack-based buffer overflow in Fortinet FortiWeb 6.4 all versions, FortiWeb versions 6.3.17 and earlier, FortiWeb versions 6.2.6 and earlier, FortiWeb versions 6.1.2 and earlier, FortiWeb versions 6.0.7 and earlier, FortiWeb versions 5.9.1 and earlier, FortiWeb 5.8 all versions, FortiWeb 5.7 all versions, FortiWeb 5.6 all versions allows attacker to execute unauthorized code or commands via specially crafted command arguments. | |||||
CVE-2022-39951 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 8.8 HIGH |
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
CVE-2021-42761 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 9.8 CRITICAL |
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. | |||||
CVE-2021-41026 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
A relative path traversal in FortiWeb versions 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. | |||||
CVE-2021-36190 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 6.3 MEDIUM |
A unintended proxy or intermediary ('confused deputy') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to access protected hosts via crafted HTTP requests. | |||||
CVE-2021-41014 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A uncontrolled resource consumption in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows an unauthenticated attacker to make the httpsd daemon unresponsive via huge HTTP packets | |||||
CVE-2021-36194 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
Multiple stack-based buffer overflows in the API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted requests. | |||||
CVE-2021-43064 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to use the device as a proxy and reach external or protected hosts via redirection handlers. | |||||
CVE-2021-41017 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
Multiple heap-based buffer overflow vulnerabilities in some web API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow a remote authenticated attacker to execute arbitrary code or commands via specifically crafted HTTP requests. | |||||
CVE-2021-41027 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
A stack-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, allows an authenticated attacker to execute unauthorized code or commands via crafted certificates loaded into the device. | |||||
CVE-2021-43071 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the LogReport API controller. | |||||
CVE-2021-36193 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands. | |||||
CVE-2021-41018 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
CVE-2021-41015 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handler | |||||
CVE-2021-42753 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 8.5 HIGH | 8.1 HIGH |
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem. | |||||
CVE-2021-36180 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
Multiple improper neutralization of special elements used in a command vulnerabilities [CWE-77] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.5 and below may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests. | |||||
CVE-2021-43073 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests. |