Fortinet Fortiadc vulnerabilities

CVE-2022-38381 [MEDIUM] CVE-2022-38381: An improper handling of malformed request vulnerability [CWE-228] exists in FortiADC 5.0 all version An improper handling of malformed request vulnerability [CWE-228] exists in FortiADC 5.0 all versions, 6.0.0 all versions, 6.1.0 all versions, 6.2.0 through 6.2.3, and 7.0.0 through 7.0.2. This may allow a remote attacker without privileges to bypass some Web Application Firewall (WAF) protection such as the SQL Injection and XSS filters via a malformed HTT

CVE-2022-38374 [HIGH] CWE-79 CVE-2022-38374: A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet F A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews.

CVE-2022-35851 [HIGH] CWE-79 CVE-2022-35851: An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC ma An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface 7.1.0 may allow a remote and authenticated attacker to trigger a stored cross site scripting (XSS) attack via configuring a specially crafted IP Address.

CVE-2022-27484 [MEDIUM] CWE-287 CVE-2022-27484: A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x a A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x allows an authenticated attacker to bypass the Old Password check in the password change form via a crafted HTTP request.

CVE-2022-26120 [MEDIUM] CWE-89 CVE-2022-26120: Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulner Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] in FortiADC management interface 7.0.0 through 7.0.1, 5.0.0 through 6.2.2 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

CVE-2020-15935 [MEDIUM] CWE-312 CVE-2020-15935: A cleartext storage of sensitive information in GUI in FortiADC versions 5.4.3 and below, 6.0.0 and A cleartext storage of sensitive information in GUI in FortiADC versions 5.4.3 and below, 6.0.0 and below may allow a remote authenticated attacker to retrieve some sensitive information such as users LDAP passwords and RADIUS shared secret by deobfuscating the passwords entry fields.

CVE-2019-6699 [MEDIUM] CWE-79 CVE-2019-6699: An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow a An improper neutralization of input vulnerability in Fortinet FortiADC 5.3.3 and earlier may allow an attacker to execute a stored Cross Site Scripting (XSS) via a field in the traffic group interface.