Fortinet Fortimanager vulnerabilities

CVE-2024-32115 [MEDIUM] CWE-23 CVE-2024-32115: A relative path traversal vulnerability [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4 A relative path traversal vulnerability [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests.

CVE-2021-32589 [CRITICAL] CWE-416 CVE-2021-32589: A Use After Free (CWE-416) vulnerability in FortiManager version 7.0.0, version 6.4.5 and below, ver A Use After Free (CWE-416) vulnerability in FortiManager version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 and below, version 5.6.10 and below, version 5.4.7 and below, version 5.2.10 and below, version 5.0.12 and below and FortiAnalyzer version 7.0.0, version 6.4.5 and below, version 6.2.7 and below, version 6.0.10 a

CVE-2024-48889 [HIGH] CWE-78 CVE-2024-48889: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulner An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12 and below, version 6.4.14 and below and FortiManager Cloud version 7.4.4 and below, version 7.2.7 to 7.2.1, version 7.0.12 to 7.0.1 may allow

CVE-2024-26011 [CRITICAL] CWE-306 CVE-2024-26011: A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 throug

CVE-2024-33505 [HIGH] CWE-122 CVE-2024-33505: A heap-based buffer overflow in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7. A heap-based buffer overflow in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege via specially crafted http requests

CVE-2024-23666 [HIGH] CWE-602 CVE-2024-23666: A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least versi A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.1 and 7

CVE-2024-32117 [MEDIUM] CWE-22 CVE-2024-32117: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiManager version 7.4.0 through 7.4.2 and below 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and below 7.2.5 & FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker to read arbitrary files from the und

CVE-2024-32118 [MEDIUM] CWE-78 CVE-2024-32118: Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and Fortinet FortiAnalyzer-BigData before 7.4.0 allows an authenticated privileged attack

CVE-2023-44255 [MEDIUM] CWE-359 CVE-2023-44255: An exposure of sensitive information to an unauthorized actor [CWE-200] in Fortinet FortiManager bef An exposure of sensitive information to an unauthorized actor [CWE-200] in Fortinet FortiManager before 7.4.2, FortiAnalyzer before 7.4.2 and FortiAnalyzer-BigData before 7.2.5 may allow a privileged attacker with administrative read permissions to read event logs of another adom via crafted HTTP or HTTPs requests.

CVE-2024-32116 [MEDIUM] CWE-23 CVE-2024-32116: Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 thr Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before 7.2.7 allows a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

CVE-2024-31496 [MEDIUM] CWE-121 CVE-2024-31496: A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiManager version 7.4.0 through A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData 7.4.0 and before 7.2.7 allows a privileged attacker to execute unauthorized code or commands via crafted CLI requests.

CVE-2024-35274 [LOW] CWE-23 CVE-2024-35274: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker with read write administrative privileges to create non-arbitrary

CVE-2024-47575 [CRITICAL] CWE-306 CVE-2024-47575: A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4 A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Clou

CVE-2024-33506 [MEDIUM] CWE-200 CVE-2024-33506: An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManage An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager 7.4.2 and below, 7.2.5 and below, 7.0.12 and below allows a remote authenticated attacker assigned to an Administrative Domain (ADOM) to access device summary of unauthorized ADOMs via crafted HTTP requests.

CVE-2023-44254 [MEDIUM] CWE-639 CVE-2023-44254: An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request.

CVE-2024-21757 [HIGH] CWE-620 CVE-2024-21757: A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 A unverified password change in Fortinet FortiManager versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, as well as Fortinet FortiAnalyzer versions 7.0.0 through 7.0.10, versions 7.2.0 through 7.2.4, and versions 7.4.0 through 7.4.1, allows an attacker to modify admin passwords via the device configuration ba

CVE-2023-47542 [MEDIUM] CWE-1336 CVE-2023-47542: A improper neutralization of special elements used in a template engine [CWE-1336] in FortiManager v A improper neutralization of special elements used in a template engine [CWE-1336] in FortiManager versions 7.4.1 and below, versions 7.2.4 and below, and 7.0.10 and below allows attacker to execute unauthorized code or commands via specially crafted templates.

CVE-2023-36554 [CRITICAL] CWE-284 CVE-2023-36554: A improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, versi A improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13, 6.2 all versions allows attacker to execute unauthorized code or commands via specially crafted HTTP requests.

CVE-2023-41842 [MEDIUM] CWE-134 CVE-2023-41842: A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allo A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.

CVE-2023-42791 [HIGH] CWE-23 CVE-2023-42791: A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 t A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.