Fortinet Fortios

A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may

CVE-2019-17656 6.5 - Medium - April 12, 2021

A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of FortiOS 6.0.10 and below, 6.2.2 and below and FortiProxy 1.0.x, 1.1.x, 1.2.9 and below, 2.0.0 and below may allow an authenticated remote attacker to crash the service by sending a malformed PUT request to the server. Fortinet is not aware of any successful exploitation of this vulnerability that would lead to code execution.

Memory Corruption

When traffic other than HTTP/S (eg: SSH traffic, etc

CVE-2020-15938 7.5 - High - March 04, 2021

When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate in version below 6.2.5 and below 6.4.2 on port 80/443, it is not redirected to the transparent proxy policy for processing, as it doesn't have a valid HTTP header.

An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may

CVE-2020-15937 6.1 - Medium - March 03, 2021

An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard.

XSS

A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may

CVE-2020-6648 6.5 - Medium - October 21, 2020

A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the "diag sys ha checksum show" command.

Cleartext Storage of Sensitive Information

A Default Configuration vulnerability in FortiOS may

CVE-2019-5591 6.5 - Medium - August 14, 2020

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

Information Disclosure

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0

CVE-2020-12812 9.8 - Critical - July 24, 2020

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

authentification

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.0 through 6.2.2, 6.0.9 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may allow an attacker to retrieve a logged-in SSL VPN user's credentials should

CVE-2019-17655 7.5 - High - June 16, 2020

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.0 through 6.2.2, 6.0.9 and earlier and FortiProxy 2.0.0, 1.2.9 and earlier may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system.

Cleartext Storage of Sensitive Information

An external control of system vulnerability in FortiOS may

CVE-2018-13371 8.8 - High - April 02, 2020

An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component.

Improper Input Validation

An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may

CVE-2019-6696 6.1 - Medium - March 15, 2020

An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password change webpage.

Open Redirect

Improper permission or value checking in the CLI console may

CVE-2019-5593 5.5 - Medium - January 23, 2020

Improper permission or value checking in the CLI console may allow a non-privileged user to obtain Fortinet FortiOS plaint text private keys of system's builtin local certificates via unsetting the keys encryption password in FortiOS 6.2.0, 6.0.0 to 6.0.6, 5.6.10 and below or for user uploaded local certificates via setting an empty password in FortiOS 6.2.1, 6.2.0, 6.0.6 and below.

Incorrect Default Permissions

An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS versions 6.2.1 and below, and 6.0.6 and below may

CVE-2019-15705 7.5 - High - November 27, 2019

An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS versions 6.2.1 and below, and 6.0.6 and below may allow an unauthenticated remote attacker to crash the SSL VPN service by sending a crafted POST request.

Improper Input Validation

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may

CVE-2019-6693 6.5 - Medium - November 21, 2019

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the administrator's password), private keys' passphrases and High Availability password (when set).

Use of Hard-coded Credentials

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may

CVE-2018-9195 5.9 - Medium - November 21, 2019

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information (URL/SPAM services in FortiOS 5.6, and URL/SPAM/AV services in FortiOS 6.0.; URL rating in FortiClient) sent and received from Fortiguard severs by decrypting these messages. Affected products include FortiClient for Windows 6.0.6 and below, FortiOS 6.0.7 and below, FortiClient for Mac OS 6.2.1 and below.

Use of Hard-coded Credentials

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed

CVE-2019-15703 7.5 - High - October 24, 2019

An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2.1, 6.2.0, 6.0.8 and below for device not enable hardware TRNG token and models not support builtin TRNG seed allows attacker to theoretically recover the long term ECDSA secret in a TLS client with a RSA handshake and mutual ECDSA authentication via the help of flush+reload side channel attacks in FortiGate VM models only.

Insufficient Entropy

An information exposure vulnerability in FortiOS 6.2.3, 6.2.0 and below may

CVE-2018-13367 5.3 - Medium - August 23, 2019

An information exposure vulnerability in FortiOS 6.2.3, 6.2.0 and below may allow an unauthenticated attacker to gain platform information such as version, models, via parsing a JavaScript file through admin webUI.

Information Disclosure

A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.2.0 to 5.6.10, 6.0.0 to 6.0.4 under SSL VPN web portal may

CVE-2019-5586 6.1 - Medium - June 04, 2019

A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.2.0 to 5.6.10, 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "param" parameter of the error process HTTP requests.

XSS

Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may

CVE-2019-5587 6.5 - Medium - June 04, 2019

Lack of root file system integrity checking in Fortinet FortiOS VM application images all versions below 6.0.5 may allow attacker to implant malicious programs into the installing image by reassembling the image through specific methods.

Improper Input Validation

A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may

CVE-2019-5588 6.1 - Medium - June 04, 2019

A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4 under SSL VPN web portal may allow an attacker to execute unauthorized malicious script code via the "err" parameter of the error process HTTP requests.

XSS

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal

CVE-2018-13379 9.8 - Critical - June 04, 2019

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Directory traversal

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal

CVE-2018-13380 6.1 - Medium - June 04, 2019

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.

XSS

A buffer overflow vulnerability in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.7, 5.4 and earlier versions and FortiProxy 2.0.0, 1.2.8 and earlier versions under SSL VPN web portal

CVE-2018-13381 7.5 - High - June 04, 2019

A buffer overflow vulnerability in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.7, 5.4 and earlier versions and FortiProxy 2.0.0, 1.2.8 and earlier versions under SSL VPN web portal allows a non-authenticated attacker to perform a Denial-of-service attack via special craft message payloads.

Buffer Overflow

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 under SSL VPN web portal

CVE-2018-13382 7.5 - High - June 04, 2019

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.

AuthZ

A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal

CVE-2018-13384 6.1 - Medium - June 04, 2019

A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains.

Open Redirect

An Information Exposure vulnerability in Fortinet FortiOS 6.0.1, 5.6.5 and below

CVE-2018-13365 5.3 - Medium - May 29, 2019

An Information Exposure vulnerability in Fortinet FortiOS 6.0.1, 5.6.5 and below, allow attackers to learn private IP as well as the hostname of FortiGate via Application Control Block page.

Information Disclosure

A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4

CVE-2018-13383 6.5 - Medium - May 29, 2019

A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.

Memory Corruption

An information disclosure vulnerability in Fortinet FortiOS 6.0.1, 5.6.7 and below

CVE-2018-13366 5.3 - Medium - April 09, 2019

An information disclosure vulnerability in Fortinet FortiOS 6.0.1, 5.6.7 and below allows attacker to reveals serial number of FortiGate via hostname field defined in connection control setup packets of PPTP protocol.

Information Disclosure

A privilege escalation vulnerability in Fortinet FortiOS 6.0.0 to 6.0.6, 5.6.0 to 5.6.10, 5.4 and below

CVE-2017-17544 7.2 - High - April 09, 2019

A privilege escalation vulnerability in Fortinet FortiOS 6.0.0 to 6.0.6, 5.6.0 to 5.6.10, 5.4 and below allows admin users to elevate their profile to super_admin via restoring modified configurations.

Improper Privilege Management

A format string vulnerability in Fortinet FortiOS 5.6.0

CVE-2018-1352 9.8 - Critical - February 08, 2019

A format string vulnerability in Fortinet FortiOS 5.6.0 allows attacker to execute unauthorized code or commands via the SSH username variable.

Use of Externally-Controlled Format String

A Improper Access Control in Fortinet FortiOS

CVE-2018-13374 8.8 - High - January 22, 2019

A Improper Access Control in Fortinet FortiOS allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.

Incorrect Permission Assignment for Critical Resource

An uninitialized memory buffer leak exists in Fortinet FortiOS 5.6.1 to 5.6.3

CVE-2018-13376 7.5 - High - November 27, 2018

An uninitialized memory buffer leak exists in Fortinet FortiOS 5.6.1 to 5.6.3, 5.4.6 to 5.4.7, 5.2 all versions under web proxy's disclaimer response web pages, potentially causing sensitive data to be displayed in the HTTP response.

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key

CVE-2018-9194 5.9 - Medium - September 05, 2018

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under VIP SSL feature when CPx being used.

Side Channel Attack

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key

CVE-2018-9192 5.9 - Medium - September 05, 2018

A plaintext recovery of encrypted messages or a Man-in-the-middle (MiTM) attack on RSA PKCS #1 v1.5 encryption may be possible without knowledge of the server's private key. Fortinet FortiOS 5.4.6 to 5.4.9, 6.0.0 and 6.0.1 are vulnerable by such attack under SSL Deep Inspection feature when CPx being used.

Side Channel Attack

An information disclosure vulnerability in Fortinet FortiOS 6.0.0 and below versions reveals user's web portal login credentials in a Javascript file sent to client-side when pages bookmarked in web portal use the Single Sign-On feature.

CVE-2018-9185 8.1 - High - July 05, 2018

An information disclosure vulnerability in Fortinet FortiOS 6.0.0 and below versions reveals user's web portal login credentials in a Javascript file sent to client-side when pages bookmarked in web portal use the Single Sign-On feature.

Information Disclosure