Fortinet Fortideceptor vulnerabilities

CVE-2022-38373 [HIGH] CWE-79 CVE-2022-38373: An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDecept An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID.

CVE-2022-30302 [MEDIUM] CWE-22 CVE-2022-30302: Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0. Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests.

CVE-2020-6644 [HIGH] CWE-613 CVE-2020-6644: An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.