| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-44166 |
|
|
|
2022-03-02 |
2022-03-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user. |
|
2 |
CVE-2021-42754 |
94 |
|
|
2021-11-02 |
2021-11-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious dylib file. |
|
3 |
CVE-2021-42752 |
79 |
|
Exec Code XSS |
2021-12-08 |
2021-12-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute malicious javascript code on victim's host via crafted HTTP requests |
|
4 |
CVE-2021-41029 |
79 |
|
XSS |
2021-12-08 |
2021-12-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to store malicious javascript code in the device and trigger it via crafted HTTP requests |
|
5 |
CVE-2021-36181 |
362 |
|
|
2021-11-02 |
2021-11-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent state via specific coordination of web requests. |
|
6 |
CVE-2021-36177 |
|
|
|
2022-02-02 |
2022-07-12 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database. |
|
7 |
CVE-2021-36175 |
79 |
|
XSS |
2021-10-06 |
2021-10-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device. |
|
8 |
CVE-2021-32597 |
79 |
|
XSS |
2021-08-06 |
2021-08-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters. |
|
9 |
CVE-2021-26111 |
401 |
|
|
2021-06-01 |
2021-06-11 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
A missing release of memory after effective lifetime vulnerability in FortiSwitch 6.4.0 to 6.4.6, 6.2.0 to 6.2.6, 6.0.0 to 6.0.6, 3.6.11 and below may allow an attacker on an adjacent network to exhaust available memory by sending specifically crafted LLDP/CDP/EDP packets to the device. |
|
10 |
CVE-2021-24021 |
79 |
|
XSS |
2021-10-06 |
2021-10-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks. |
|
11 |
CVE-2020-15940 |
79 |
|
XSS |
2021-11-02 |
2021-11-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server. |
|
12 |
CVE-2020-12815 |
79 |
|
XSS |
2020-09-24 |
2020-10-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in FortiTester before 3.9.0 may allow a remote authenticated attacker to inject script related HTML tags via IPv4/IPv6 address fields. |
|
13 |
CVE-2020-12814 |
79 |
|
Exec Code XSS |
2021-11-02 |
2021-11-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI. |
|
14 |
CVE-2020-9288 |
79 |
|
XSS |
2020-06-22 |
2020-06-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in FortiWLC 8.5.1 allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the ESS profile or the Radius Profile. |
|
15 |
CVE-2020-6647 |
79 |
|
XSS |
2020-04-07 |
2020-04-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter. |
|
16 |
CVE-2020-6646 |
79 |
|
XSS |
2020-03-17 |
2020-03-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in FortiWeb allows a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Disclaimer Description of a Replacement Message. |
|
17 |
CVE-2020-6643 |
79 |
|
XSS |
2020-03-12 |
2020-03-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in the URL Description in Fortinet FortiIsolator version 1.2.2 allows a remote authenticated attacker to perform a cross site scripting attack (XSS). |
|
18 |
CVE-2020-6640 |
79 |
|
XSS |
2020-06-04 |
2020-06-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area. |
|
19 |
CVE-2019-17651 |
79 |
|
XSS |
2020-01-28 |
2020-01-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An Improper Neutralization of Input vulnerability in the description and title parameters of a Device Maintenance Schedule in FortiSIEM version 5.2.5 and below may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious JavaScript code into the description field of a Device Maintenance schedule. |
|
20 |
CVE-2019-6699 |
79 |
|
XSS |
2020-03-13 |
2020-03-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface. |
|
21 |
CVE-2019-5591 |
200 |
|
+Info |
2020-08-14 |
2021-07-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. |
|
22 |
CVE-2018-1351 |
79 |
|
Exec Code XSS |
2018-06-28 |
2020-01-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions allows attacker to execute HTML/javascript code via managed remote devices CLI commands by viewing the remote device CLI config installation log. |
|
23 |
CVE-2017-14186 |
79 |
|
XSS |
2017-11-29 |
2019-05-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter. |
|
24 |
CVE-2017-7736 |
79 |
|
XSS |
2017-11-22 |
2017-12-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb webUI Certificate View page in 5.8.0, 5.7.1 and earlier, allows attackers to inject arbitrary web script or HTML via special crafted malicious certificate import. |
|
25 |
CVE-2017-7735 |
79 |
|
Exec Code XSS |
2017-09-12 |
2017-09-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.2.0 through 5.2.11 and 5.4.0 through 5.4.4 allows attackers to execute unauthorized code or commands via the "Groups" input while creating or editing User Groups. |
|
26 |
CVE-2017-7734 |
79 |
|
Exec Code XSS |
2017-09-12 |
2017-09-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 allows attackers to execute unauthorized code or commands via 'Comments' while saving Config Revisions. |
|
27 |
CVE-2017-7335 |
79 |
|
XSS |
2017-10-26 |
2017-11-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x (6.1-2, 6.1-4 and 6.1-5); 7.0-x (7.0-7, 7.0-8, 7.0-9, 7.0-10); and 8.x (8.0, 8.1, 8.2 and 8.3.0-8.3.2) allows an authenticated user to inject arbitrary web script or HTML via non-sanitized parameters "refresh" and "branchtotable" present in HTTP POST requests. |
|
28 |
CVE-2017-3131 |
79 |
|
Exec Code XSS |
2017-09-12 |
2017-09-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to execute unauthorized code or commands via the filter input in "Applications" under FortiView. |
|
29 |
CVE-2017-3128 |
79 |
|
Exec Code XSS |
2017-05-23 |
2017-07-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS allows attackers to execute unauthorized code or commands via the policy global-label parameter. |
|
30 |
CVE-2016-3196 |
79 |
|
XSS |
2016-08-05 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6 and FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an image uploaded in the report section. |
|
31 |
CVE-2016-3193 |
79 |
|
XSS |
2016-08-19 |
2017-08-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the appliance web-application in Fortinet FortiManager 5.x before 5.0.12, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 and FortiAnalyzer 5.x before 5.0.13, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
32 |
CVE-2015-3612 |
79 |
|
XSS |
2020-02-04 |
2020-02-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page. |
|
33 |
CVE-2015-1451 |
79 |
|
XSS |
2015-02-02 |
2015-02-19 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiOS 5.0 Patch 7 build 4457 allow remote authenticated users to inject arbitrary web script or HTML via the (1) WTP Name or (2) WTP Active Software Version field in a CAPWAP Join request. |
|
34 |
CVE-2014-1458 |
79 |
|
XSS |
2014-02-04 |
2017-08-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the web administration interface in FortiGuard FortiWeb 5.0.3 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors. |
