Fortinet Fortiweb vulnerabilities
124 known vulnerabilities affecting fortinet/fortiweb.
Total CVEs
124
CISA KEV
4
actively exploited
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL15HIGH49MEDIUM57LOW3
Vulnerabilities
Page 4 of 7
CVE-2022-40683HIGHCVSS 7.8≥ 7.0.0, ≤ 7.0.32023-02-16
CVE-2022-40683 [HIGH] CWE-415 CVE-2022-40683: A double free in Fortinet FortiWeb version 7.0.0 through 7.0.3 may allows attacker to execute unauth
A double free in Fortinet FortiWeb version 7.0.0 through 7.0.3 may allows attacker to execute unauthorized code or commands via specially crafted commands
cvelistv5nvd
CVE-2023-23783HIGHCVSS 7.8≥ 6.4.0, < 6.4.2≥ 7.0.0, < 7.0.2+2 more2023-02-16
CVE-2023-23783 [HIGH] CWE-134 CVE-2023-23783: A use of externally-controlled format string in Fortinet FortiWeb version 7.0.0 through 7.0.1, Forti
A use of externally-controlled format string in Fortinet FortiWeb version 7.0.0 through 7.0.1, FortiWeb 6.4 all versions allows attacker to execute unauthorized code or commands via specially crafted command arguments.
cvelistv5nvd
CVE-2023-25602HIGHCVSS 7.8≥ 5.6.0, < 5.9.2≥ 6.0.0, < 6.0.8+13 more2023-02-16
CVE-2023-25602 [HIGH] CWE-121 CVE-2023-25602: A stack-based buffer overflow in Fortinet FortiWeb 6.4 all versions, FortiWeb versions 6.3.17 and ea
A stack-based buffer overflow in Fortinet FortiWeb 6.4 all versions, FortiWeb versions 6.3.17 and earlier, FortiWeb versions 6.2.6 and earlier, FortiWeb versions 6.1.2 and earlier, FortiWeb versions 6.0.7 and earlier, FortiWeb versions 5.9.1 and earlier, FortiWeb 5.8 all versions, FortiWeb 5.7 all versions, FortiWeb 5.6 all versions allows attacker to
cvelistv5nvd
CVE-2023-23779HIGHCVSS 8.8≥ 6.3.6, ≤ 6.3.19v6.4.0+6 more2023-02-16
CVE-2023-23779 [HIGH] CWE-78 CVE-2023-23779: Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection')
Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiWeb version 7.0.1 and below, 6.4 all versions, version 6.3.19 and below may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests.
cvelistv5nvd
CVE-2023-23780HIGHCVSS 8.8≥ 6.3.0, < 6.3.20≥ 6.4.0, ≤ 6.4.2+3 more2023-02-16
CVE-2023-23780 [HIGH] CWE-121 CVE-2023-23780: A stack-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, Fortinet FortiWeb ve
A stack-based buffer overflow in Fortinet FortiWeb version 7.0.0 through 7.0.1, Fortinet FortiWeb version 6.3.6 through 6.3.19, Fortinet FortiWeb 6.4 all versions allows attacker to escalation of privilege via specifically crafted HTTP requests.
cvelistv5nvd
CVE-2021-43074MEDIUMCVSS 4.3≥ 6.0.0, < 6.3.17≥ 6.4.0, < 7.0.0+5 more2023-02-16
CVE-2021-43074 [MEDIUM] CWE-347 CVE-2021-43074: An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all vers
An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7
cvelistv5nvd
CVE-2022-30300MEDIUMCVSS 6.5≥ 6.3.6, < 6.3.19v6.4.0+7 more2023-02-16
CVE-2022-30300 [MEDIUM] CWE-23 CVE-2022-30300: A relative path traversal vulnerability [CWE-23] in FortiWeb 7.0.0 through 7.0.1, 6.3.6 through 6.3.
A relative path traversal vulnerability [CWE-23] in FortiWeb 7.0.0 through 7.0.1, 6.3.6 through 6.3.18, 6.4 all versions may allow an authenticated attacker to obtain unauthorized access to files and data via specifically crafted HTTP GET requests.
cvelistv5nvd
CVE-2023-23778MEDIUMCVSS 6.5≥ 6.2.3, ≤ 6.2.7≥ 6.3.0, ≤ 6.3.21+7 more2023-02-16
CVE-2023-23778 [MEDIUM] CWE-23 CVE-2023-23778: A relative path traversal vulnerability [CWE-23] in FortiWeb version 7.0.1 and below, 6.4 all versio
A relative path traversal vulnerability [CWE-23] in FortiWeb version 7.0.1 and below, 6.4 all versions, 6.3 all versions, 6.2 all versions may allow an authenticated user to obtain unauthorized access to files and data via specifically crafted web requests.
cvelistv5nvd
CVE-2023-23784MEDIUMCVSS 6.5≥ 6.3.6, < 6.3.21≥ 6.4.0, ≤ 6.4.2+3 more2023-02-16
CVE-2023-23784 [MEDIUM] CWE-23 CVE-2023-23784: A relative path traversal in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 t
A relative path traversal in Fortinet FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.3.6 through 6.3.20, FortiWeb 6.4 all versions allows attacker to information disclosure via specially crafted web requests.
cvelistv5nvd
CVE-2022-30299MEDIUMCVSS 4.3≥ 6.0.0, ≤ 6.0.8≥ 6.1.0, ≤ 6.1.3+10 more2023-02-16
CVE-2022-30299 [MEDIUM] CWE-23 CVE-2022-30299: A path traversal vulnerability [CWE-23] in the API of FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.
A path traversal vulnerability [CWE-23] in the API of FortiWeb 7.0.0 through 7.0.1, 6.3.0 through 6.3.19, 6.4 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions may allow an authenticated attacker to retrieve specific parts of files from the underlying file system via specially crafted web requests.
cvelistv5nvd
CVE-2022-42471MEDIUMCVSS 5.4≥ 6.3.6, ≤ 6.3.21v6.4.0+7 more2023-01-03
CVE-2022-42471 [MEDIUM] CWE-113 CVE-2022-42471: An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerabili
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb version 7.0.0 through 7.0.2, FortiWeb version 6.4.0 through 6.4.2, FortiWeb version 6.3.6 through 6.3.20 may allow an authenticated and remote attacker to inject arbitrary headers.
cvelistv5nvd
CVE-2021-41026MEDIUMCVSS 6.5≥ 6.3.0, < 6.3.16≥ 6.4.0, < 6.4.22022-04-06
CVE-2021-41026 [MEDIUM] CWE-22 CVE-2021-41026: A relative path traversal in FortiWeb versions 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an a
A relative path traversal in FortiWeb versions 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.
nvd
CVE-2021-36193HIGHCVSS 7.2≥ 5.0.0, < 6.2.6≥ 6.3.0, < 6.3.16+3 more2022-02-02
CVE-2021-36193 [HIGH] CWE-121 CVE-2021-36193: Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may a
Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.
cvelistv5nvd
CVE-2021-42753HIGHCVSS 8.1≥ 5.8.0, < 6.3.16≥ 6.4.0, < 6.4.22022-02-02
CVE-2021-42753 [HIGH] CWE-22 CVE-2021-42753: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.
nvd
CVE-2021-41018HIGHCVSS 8.8≥ 6.2.0, < 6.2.7≥ 6.3.0, < 6.3.16+1 more2022-02-02
CVE-2021-41018 [HIGH] CWE-78 CVE-2021-41018: A improper neutralization of special elements used in an os command ('os command injection') in Fort
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
nvd
CVE-2021-43073HIGHCVSS 8.8≥ 5.8.0, < 6.2.7≥ 6.3.0, < 6.3.17+1 more2022-02-02
CVE-2021-43073 [HIGH] CWE-78 CVE-2021-43073: A improper neutralization of special elements used in an os command ('os command injection') in Fort
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
nvd
CVE-2021-36194HIGHCVSS 8.8≥ 6.3.0, ≤ 6.3.15v6.4.0+1 more2021-12-09
CVE-2021-36194 [HIGH] CWE-787 CVE-2021-36194: Multiple stack-based buffer overflows in the API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 thr
Multiple stack-based buffer overflows in the API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted requests.
nvd
CVE-2021-43071HIGHCVSS 8.8≥ 6.2.0, ≤ 6.2.6≥ 6.3.0, ≤ 6.3.16+2 more2021-12-09
CVE-2021-43071 [HIGH] CWE-787 CVE-2021-43071: A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below,
A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the LogReport API controller.
nvd
CVE-2021-41025CRITICALCVSS 9.8≥ 6.0.0, ≤ 6.0.7≥ 6.2.0, ≤ 6.2.6+7 more2021-12-08
CVE-2021-41025 [CRITICAL] CWE-362 CVE-2021-41025: Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0,
Multiple vulnerabilities in the authentication mechanism of confd in FortiWeb versions 6.4.1, 6.4.0, 6.3.0 through 6.3.15, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 thorugh 6.0.7, including an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay, may allow a r
nvd
CVE-2021-41017HIGHCVSS 8.8≥ 6.3.0, ≤ 6.3.15v6.4.0+1 more2021-12-08
CVE-2021-41017 [HIGH] CWE-787 CVE-2021-41017: Multiple heap-based buffer overflow vulnerabilities in some web API controllers of FortiWeb 6.4.1, 6
Multiple heap-based buffer overflow vulnerabilities in some web API controllers of FortiWeb 6.4.1, 6.4.0, and 6.3.0 through 6.3.15 may allow a remote authenticated attacker to execute arbitrary code or commands via specifically crafted HTTP requests.
nvd