Filtered by vendor Fortinet
Subscriptions
Total
1044 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64471 | 1 Fortinet | 1 Fortiweb | 2025-12-10 | 4.4 Medium |
| A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests | ||||
| CVE-2025-64156 | 1 Fortinet | 1 Fortivoice | 2025-12-10 | 6.8 Medium |
| An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests | ||||
| CVE-2025-64447 | 1 Fortinet | 1 Fortiweb | 2025-12-10 | 7.1 High |
| A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number. | ||||
| CVE-2025-60024 | 1 Fortinet | 1 Fortivoice | 2025-12-10 | 7.7 High |
| Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated attacker to write arbitrary files via specifically HTTP or HTTPS commands | ||||
| CVE-2025-53949 | 1 Fortinet | 1 Fortisandbox | 2025-12-10 | 7 High |
| An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests. | ||||
| CVE-2025-53679 | 1 Fortinet | 3 Fortisandbox Paas, Fortisandbox, Fortisandboxcloud | 2025-12-10 | 6.9 Medium |
| An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSandbox version 5.0.0 through 5.0.2 and before 4.4.7 GUI allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests. | ||||
| CVE-2025-59719 | 1 Fortinet | 1 Fortiweb | 2025-12-10 | 9.1 Critical |
| An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. | ||||
| CVE-2025-59718 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortiswitchmanager | 2025-12-10 | 9.1 Critical |
| A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. | ||||
| CVE-2024-47570 | 1 Fortinet | 5 Fortios, Fortipam, Fortiproxy and 2 more | 2025-12-10 | 6.3 Medium |
| An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration). | ||||
| CVE-2025-64153 | 1 Fortinet | 2 Fortiextender, Fortiextender Firmware | 2025-12-09 | 6.7 Medium |
| A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request. | ||||
| CVE-2025-59923 | 1 Fortinet | 1 Fortiauthenticator | 2025-12-09 | 2.6 Low |
| An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.4, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests. | ||||
| CVE-2025-57823 | 1 Fortinet | 1 Fortiauthenticator | 2025-12-09 | 2.6 Low |
| A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints | ||||
| CVE-2025-62631 | 1 Fortinet | 1 Fortios | 2025-12-09 | 5.3 Medium |
| An insufficient session expiration vulnerability [CWE-613] in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user's password change under particular conditions outside of the attacker's control | ||||
| CVE-2025-54838 | 1 Fortinet | 1 Fortiportal | 2025-12-09 | 6.4 Medium |
| An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests. | ||||
| CVE-2025-59808 | 1 Fortinet | 3 Fortisoar, Fortisoaron-premise, Fortisoarpaas | 2025-12-09 | 6.5 Medium |
| An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password | ||||
| CVE-2025-59810 | 1 Fortinet | 3 Fortisoar, Fortisoaron-premise, Fortisoarpaas | 2025-12-09 | 6.2 Medium |
| An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests | ||||
| CVE-2025-54353 | 1 Fortinet | 1 Fortisandbox | 2025-12-09 | 5.3 Medium |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an attacker to perform an XSS attack via crafted HTTP requests. | ||||
| CVE-2025-25255 | 1 Fortinet | 2 Fortios, Fortiproxy | 2025-12-09 | 4.8 Medium |
| An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in Fortinet FortiOS 7.6.0 through 7.6.3, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0.1 through 7.0.22 may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests. | ||||
| CVE-2025-47761 | 1 Fortinet | 2 Forticlient, Forticlientwindows | 2025-11-24 | 7.1 High |
| An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.9 may allow an authenticated local user to execute unauthorized code via fortips driver. Success of the attack would require bypassing the Windows memory protections such as Heap integrity and HSP. In addition, it requires a valid and running VPN IPSec connection. | ||||
| CVE-2025-58034 | 1 Fortinet | 1 Fortiweb | 2025-11-21 | 6.7 Medium |
| An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. | ||||