VYPR

Fortiportal

by Fortinet

CVEs (46)

  • CVE-2024-31495Jun 11, 2024
    risk 0.00cvss epss 0.01

    A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality.

  • CVE-2023-48789Jun 3, 2024
    risk 0.00cvss epss 0.00

    A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests.

  • CVE-2024-23105May 14, 2024
    risk 0.00cvss epss 0.00

    A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.

  • CVE-2024-21761Mar 12, 2024
    risk 0.00cvss epss 0.00

    An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.

  • CVE-2023-41842Mar 12, 2024
    risk 0.00cvss epss 0.00

    A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.

  • CVE-2023-48783Jan 10, 2024
    risk 0.00cvss epss 0.22

    An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to…

  • CVE-2023-46712Jan 10, 2024
    risk 0.00cvss epss 0.01

    A improper access control in Fortinet FortiPortal version 7.0.0 through 7.0.6, Fortinet FortiPortal version 7.2.0 through 7.2.1 allows attacker to escalate its privilege via specifically crafted HTTP requests.

  • CVE-2023-48791Dec 13, 2023
    risk 0.00cvss epss 0.01

    An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via…

  • CVE-2022-27490Mar 7, 2023
    risk 0.00cvss epss 0.00

    A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version…

  • CVE-2022-43954Feb 16, 2023
    risk 0.00cvss epss 0.01

    An insertion of sensitive information into log file vulnerability [CWE-532] in the FortiPortal management interface 7.0.0 through 7.0.2 may allow a remote authenticated attacker to read other devices' passwords in the audit log page.

  • CVE-2022-41336Jan 3, 2023
    risk 0.00cvss epss 0.01

    An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS)…

  • CVE-2021-26104Apr 6, 2022
    risk 0.00cvss epss 0.03

    Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and…

  • CVE-2021-36171Mar 1, 2022
    risk 0.00cvss epss 0.01

    The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame.

  • CVE-2021-42757Dec 8, 2021
    risk 0.00cvss epss 0.00

    A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.

  • CVE-2021-36174Nov 2, 2021
    risk 0.00cvss epss 0.01

    A memory allocation with excessive size value vulnerability in the license verification function of FortiPortal before 6.0.6 may allow an attacker to perform a denial of service attack via specially crafted license blobs.

  • CVE-2021-36176Nov 2, 2021
    risk 0.00cvss epss 0.01

    Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.

  • CVE-2021-32595Nov 2, 2021
    risk 0.00cvss epss 0.01

    Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.

  • CVE-2021-36172Nov 2, 2021
    risk 0.00cvss epss 0.01

    An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from…

  • CVE-2021-36181Nov 2, 2021
    risk 0.00cvss epss 0.00

    A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent…

  • CVE-2021-32602Aug 18, 2021
    risk 0.00cvss epss 0.01

    An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated…