Apr 18, 2024
Fortinet Fixes Six Serious Vulnerabilities
Including six vulnerabilities with a high severity rating, Fortinet warned customers on Tuesday (1 November) of 16 vulnerabilities found in the company’s devices.
Improper neutralization of input during web page generation vulnerability (CVE-2022-35842) in FortiADC is one of the high-severity flaws that may allow a remote, unauthenticated attacker to carry out a stored cross-site scripting (XSS) attack using HTTP fields seen in the traffic and event logviews.
A local attacker can directly access the Glassfish server with command-line access using a hardcoded password in FortiSIEM due to a vulnerability.
Cross-site scripting (XSS) vulnerabilities are the remaining critical flaws that can have a high impact. FortiADC, FortiDeceptor, FortiManager, and FortiAnalyzer are all affected. Threat actors can remotely exploit them without needing authentication.
Patches for FortiOS, FortiTester, FortiSOAR, FortiMail, FortiEDR CollectorWindows, FortiClient for Mac, and FortiADC have been released that address medium and low-severity vulnerabilities.
These security flaws can be used for privilege escalation, executing arbitrary commands, bypassing security measures, gathering sensitive data, DoS attacks, and more.
You can find further details on the advisory released by Fortinet.
Another critical vulnerability coded CVE-2022-40684 emerged in October. You can read our detailed blog post about the issue.
Complete List of Fortinet Vulnerabilities
|
CVE-ID |
CVSS Score |
Description |
|
CVE-2022-38374 |
8.8 |
An improper neutralization of input during web page generation (‘cross-site scripting’) |
|
CVE-2022-35851 |
8.0 |
An improper neutralization of input during web page generation vulnerability [CWE-79] |
|
CVE-2022-39950 |
8.0 |
An improper neutralization of input during web page generation vulnerability [CWE-79] |
|
CVE-2022-38373 |
8.0 |
An improper neutralization of input during web page generation vulnerability [CWE-79] |
|
CVE-2022-33870 |
7.8 |
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] |
|
CVE-2022-26119 |
7.8 |
An improper authentication vulnerability |
|
CVE-2022-38372 |
6.7 |
A hidden functionality vulnerability [CWE-1242] |
|
CVE-2022-39945 |
5.4 |
An improper access control vulnerability [CWE-284] |
|
CVE-2022-42473 |
5.3 |
A missing authentication for a critical function vulnerability |
|
CVE-2022-38381 |
5.3 |
An improper handling of malformed request vulnerability [CWE-228] |
|
CVE-2022-26122 |
4.7 |
An insufficient verification of data authenticity vulnerability [CWE-345] |
|
CVE-2022-39949 |
4.4 |
An improper control of a resource through its lifetime vulnerability [CWE-664] |
|
CVE-2022-38380 |
4.3 |
An improper access control [CWE-284] vulnerability |
|
CVE-2022-30307 |
3.9 |
A key management error vulnerability [CWE-320] |
|
CVE-2022-35842 |
3.7 |
An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] |
|
CVE-2022-33878 |
2.2 |
An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] |
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!
