FortiGuard FortiAuthenticator before 3.0 allows remote administrators to gain privileges via the command line interface.
Max CVSS
9.0
EPSS Score
0.10%
Published
2014-04-30
Updated
2017-08-29
An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
Max CVSS
8.8
EPSS Score
0.24%
Published
2022-04-06
Updated
2022-04-13
A exposure of sensitive information to an unauthorized actor in Fortinet FortiAuthenticator version 6.4.0, version 6.3.2 and below, version 6.2.1 and below, version 6.1.2 and below, version 6.0.7 to 6.0.1 allows attacker to duplicate a target LDAP user 2 factors authentication token via crafted HTTP requests.
Max CVSS
8.3
EPSS Score
0.25%
Published
2021-12-08
Updated
2021-12-09
A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal.
Max CVSS
8.1
EPSS Score
0.07%
Published
2021-12-09
Updated
2021-12-10
An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters.
Max CVSS
7.8
EPSS Score
0.10%
Published
2021-08-04
Updated
2021-08-12
Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the slony PostgreSQL user and (2) www-data for the www-data PostgreSQL user, which makes it easier for remote attackers to obtain access via unspecified vectors.
Max CVSS
7.5
EPSS Score
0.75%
Published
2015-02-03
Updated
2015-02-19
Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key.
Max CVSS
7.5
EPSS Score
0.17%
Published
2021-07-06
Updated
2021-07-08
Fortinet FortiAuthenticator 3.0.0 allows local users to bypass intended restrictions and gain privileges by creating /tmp/privexec/dbgcore_enable_shell_access and executing the "shell" command.
Max CVSS
6.9
EPSS Score
0.04%
Published
2015-02-03
Updated
2017-09-08
A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.
Max CVSS
6.1
EPSS Score
0.08%
Published
2018-05-31
Updated
2019-04-22
An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page.
Max CVSS
6.1
EPSS Score
0.08%
Published
2020-01-07
Updated
2020-01-14
An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.
Max CVSS
6.1
EPSS Score
0.06%
Published
2023-04-11
Updated
2023-04-18
A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.
Max CVSS
5.3
EPSS Score
0.04%
Published
2023-07-11
Updated
2023-07-18
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
Max CVSS
5.3
EPSS Score
0.12%
Published
2023-03-09
Updated
2023-03-15
Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command.
Max CVSS
4.9
EPSS Score
0.04%
Published
2015-02-03
Updated
2017-09-08
Cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the operation parameter to cert/scep/.
Max CVSS
4.3
EPSS Score
0.64%
Published
2015-02-03
Updated
2017-09-08
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.
Max CVSS
4.3
EPSS Score
0.05%
Published
2022-02-02
Updated
2022-07-12
Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and passwords in cleartext, which allows remote administrators to obtain sensitive information by reading the log at debug/startup/.
Max CVSS
4.0
EPSS Score
0.13%
Published
2015-02-03
Updated
2015-02-19
17 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!