Fortiportal
by Fortinet
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-31495 | 0.00 | — | 0.01 | Jun 11, 2024 | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality. | |||
| CVE-2023-48789 | 0.00 | — | 0.00 | Jun 3, 2024 | A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests. | |||
| CVE-2024-23105 | 0.00 | — | 0.00 | May 14, 2024 | A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets. | |||
| CVE-2024-21761 | 0.00 | — | 0.00 | Mar 12, 2024 | An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload. | |||
| CVE-2023-41842 | 0.00 | — | 0.00 | Mar 12, 2024 | A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments. | |||
| CVE-2023-48783 | 0.00 | — | 0.22 | Jan 10, 2024 | An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to… | |||
| CVE-2023-46712 | 0.00 | — | 0.01 | Jan 10, 2024 | A improper access control in Fortinet FortiPortal version 7.0.0 through 7.0.6, Fortinet FortiPortal version 7.2.0 through 7.2.1 allows attacker to escalate its privilege via specifically crafted HTTP requests. | |||
| CVE-2023-48791 | 0.00 | — | 0.01 | Dec 13, 2023 | An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via… | |||
| CVE-2022-27490 | 0.00 | — | 0.00 | Mar 7, 2023 | A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version… | |||
| CVE-2022-43954 | 0.00 | — | 0.01 | Feb 16, 2023 | An insertion of sensitive information into log file vulnerability [CWE-532] in the FortiPortal management interface 7.0.0 through 7.0.2 may allow a remote authenticated attacker to read other devices' passwords in the audit log page. | |||
| CVE-2022-41336 | 0.00 | — | 0.01 | Jan 3, 2023 | An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS)… | |||
| CVE-2021-26104 | 0.00 | — | 0.03 | Apr 6, 2022 | Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and… | |||
| CVE-2021-36171 | 0.00 | — | 0.01 | Mar 1, 2022 | The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame. | |||
| CVE-2021-42757 | 0.00 | — | 0.00 | Dec 8, 2021 | A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments. | |||
| CVE-2021-36174 | 0.00 | — | 0.01 | Nov 2, 2021 | A memory allocation with excessive size value vulnerability in the license verification function of FortiPortal before 6.0.6 may allow an attacker to perform a denial of service attack via specially crafted license blobs. | |||
| CVE-2021-36176 | 0.00 | — | 0.01 | Nov 2, 2021 | Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests. | |||
| CVE-2021-32595 | 0.00 | — | 0.01 | Nov 2, 2021 | Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests. | |||
| CVE-2021-36172 | 0.00 | — | 0.01 | Nov 2, 2021 | An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from… | |||
| CVE-2021-36181 | 0.00 | — | 0.00 | Nov 2, 2021 | A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent… | |||
| CVE-2021-32602 | 0.00 | — | 0.01 | Aug 18, 2021 | An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated… |
- CVE-2024-31495Jun 11, 2024risk 0.00cvss —epss 0.01
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality.
- CVE-2023-48789Jun 3, 2024risk 0.00cvss —epss 0.00
A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests.
- CVE-2024-23105May 14, 2024risk 0.00cvss —epss 0.00
A Use Of Less Trusted Source [CWE-348] vulnerability in Fortinet FortiPortal version 7.0.0 through 7.0.6 and version 7.2.0 through 7.2.1 allows an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.
- CVE-2024-21761Mar 12, 2024risk 0.00cvss —epss 0.00
An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload.
- CVE-2023-41842Mar 12, 2024risk 0.00cvss —epss 0.00
A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.
- CVE-2023-48783Jan 10, 2024risk 0.00cvss —epss 0.22
An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting PortiPortal version 7.2.1 and below, version 7.0.6 and below, version 6.0.14 and below, version 5.3.8 and below may allow a remote authenticated user with at least read-only permissions to…
- CVE-2023-46712Jan 10, 2024risk 0.00cvss —epss 0.01
A improper access control in Fortinet FortiPortal version 7.0.0 through 7.0.6, Fortinet FortiPortal version 7.2.0 through 7.2.1 allows attacker to escalate its privilege via specifically crafted HTTP requests.
- CVE-2023-48791Dec 13, 2023risk 0.00cvss —epss 0.01
An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via…
- CVE-2022-27490Mar 7, 2023risk 0.00cvss —epss 0.00
A exposure of sensitive information to an unauthorized actor in Fortinet FortiManager version 6.0.0 through 6.0.4, FortiAnalyzer version 6.0.0 through 6.0.4, FortiPortal version 6.0.0 through 6.0.9, 5.3.0 through 5.3.8, 5.2.x, 5.1.0, 5.0.x, 4.2.x, 4.1.x, FortiSwitch version…
- CVE-2022-43954Feb 16, 2023risk 0.00cvss —epss 0.01
An insertion of sensitive information into log file vulnerability [CWE-532] in the FortiPortal management interface 7.0.0 through 7.0.2 may allow a remote authenticated attacker to read other devices' passwords in the audit log page.
- CVE-2022-41336Jan 3, 2023risk 0.00cvss —epss 0.01
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiPortal versions 6.0.0 through 6.0.11 and all versions of 5.3, 5.2, 5.1, 5.0 management interface may allow a remote authenticated attacker to perform a stored cross site scripting (XSS)…
- CVE-2021-26104Apr 6, 2022risk 0.00cvss —epss 0.03
Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and…
- CVE-2021-36171Mar 1, 2022risk 0.00cvss —epss 0.01
The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame.
- CVE-2021-42757Dec 8, 2021risk 0.00cvss —epss 0.00
A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.
- CVE-2021-36174Nov 2, 2021risk 0.00cvss —epss 0.01
A memory allocation with excessive size value vulnerability in the license verification function of FortiPortal before 6.0.6 may allow an attacker to perform a denial of service attack via specially crafted license blobs.
- CVE-2021-36176Nov 2, 2021risk 0.00cvss —epss 0.01
Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.
- CVE-2021-32595Nov 2, 2021risk 0.00cvss —epss 0.01
Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.
- CVE-2021-36172Nov 2, 2021risk 0.00cvss —epss 0.01
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from…
- CVE-2021-36181Nov 2, 2021risk 0.00cvss —epss 0.00
A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') in the customer database interface of FortiPortal before 6.0.6 may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent…
- CVE-2021-32602Aug 18, 2021risk 0.00cvss —epss 0.01
An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated…
Page 2 of 3