Fortinet Fortisoar vulnerabilities

CVE-2022-42473 [MEDIUM] CWE-306 CVE-2022-42473: A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 a A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and 7.2.0 allows an attacker to disclose information via logging into the database using a privileged account without a password.

CVE-2022-29061 [HIGH] CWE-78 CVE-2022-29061: An improper neutralization of special elements used in an OS command ('OS Command Injection') vulner An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP GET requests.

CVE-2022-30298 [HIGH] CWE-269 CVE-2022-30298: An improper privilege management vulnerability [CWE-269] in Fortinet FortiSOAR before 7.2.1 allows a An improper privilege management vulnerability [CWE-269] in Fortinet FortiSOAR before 7.2.1 allows a GUI user who has already found a way to modify system files (via another, unrelated and hypothetical exploit) to execute arbitrary Python commands as root.

CVE-2022-35847 [MEDIUM] CWE-94 CVE-2022-35847: An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.4 may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

CVE-2022-29062 [MEDIUM] CWE-22 CVE-2022-29062: Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to write to the underlying filesystem with nginx permissions via crafted HTTP requests.

CVE-2022-23443 [HIGH] CVE-2022-23443: An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to ac An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.