Fortinet Fortimanager vulnerabilities

CVE-2019-17654 [HIGH] CWE-345 CVE-2019-17654: An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.

CVE-2015-3613 [CRITICAL] CWE-269 CVE-2015-3613: A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 and earlier in the WebUI FTP A vulnerability exists in in FortiManager 5.2.1 and earlier and 5.0.10 and earlier in the WebUI FTP backup page

CVE-2015-3611 [HIGH] CWE-78 CVE-2015-3611: A Command Injection vulnerability exists in FortiManager 5.2.1 and earlier and FortiManager 5.0.10 a A Command Injection vulnerability exists in FortiManager 5.2.1 and earlier and FortiManager 5.0.10 and earlier via unspecified vectors, which could let a malicious user run systems commands when executing a report.

CVE-2015-3612 [MEDIUM] CWE-79 CVE-2015-3612: A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and e A Cross-site Scripting (XSS) vulnerability exists in FortiManager 5.2.1 and earlier and 5.0.10 and earlier via an unspecified parameter in the FortiWeb auto update service page.

CVE-2019-6695 [CRITICAL] CWE-345 CVE-2019-6695: Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, Lack of root file system integrity checking in Fortinet FortiManager VM application images of 6.2.0, 6.0.6 and below may allow an attacker to implant third-party programs by recreating the image through specific methods.

CVE-2018-13375 [MEDIUM] CWE-79 CVE-2018-13375: An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and FortiManager 5.6.0 and below allows an attacker to send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager (with FortiAnalyzer feature ena

CVE-2018-1360 [HIGH] CWE-319 CVE-2018-1360: A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 throu A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses.

CVE-2018-1353 [MEDIUM] CWE-200 CVE-2018-1353: An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a s An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a standard user with adom assignment read the interface settings of vdoms unrelated to the assigned adom.

CVE-2018-1351 [MEDIUM] CWE-79 CVE-2018-1351: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions allows attacker to execute HTML/javascript code via managed remote devices CLI commands by viewing the remote device CLI config installation log.

CVE-2018-1355 [MEDIUM] CWE-601 CVE-2018-1355: An open redirect vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyz An open redirect vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyzer 6.0.0, 5.6.5 and below versions allows attacker to inject script code during converting a HTML table to a PDF document under the FortiView feature. An attacker may be able to social engineer an authenticated user into generating a PDF file containing

CVE-2018-1354 [MEDIUM] CWE-732 CVE-2018-1354: An improper access control vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, F An improper access control vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyzer 6.0.0, 5.6.5 and below versions allows a regular user edit the avatar picture of other users with arbitrary content.

CVE-2016-8495 [HIGH] CWE-200 CVE-2016-8495: An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5. An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 allows remote attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack via the Fortisandbox devices probing feature.

CVE-2014-2336 [MEDIUM] CVE-2014-2336: Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManag Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.