Fortinet – November 2022 Vulnerability Advisories
Fortinet ranjivosti – 11. mjesec. Detektirano je 16 ranjivosti od kojih je 6 klasificirano sa “high severity”.
Provjerite pogođene sustave i ranjivosti i redovito radite update operativnih sustava.
FortiManager/FortiAnalyzer – XSS Vulnerability in Report TemplatesAdvisory Summary:An XSS attack can be conducted via a crafted CKeditor “protected” comment in the report templates. Affected Products:FortiAnalyzer version 7.0.0 through 7.0.4FortiAnalyzer version 6.4.0 through 6.4.8FortiAnalyzer 6.2 all versions Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-21-228 CVSS Score:7.6 FortiADC – WAF XSS Injection BypassAdvisory Summary:Protection bypass in FortiADC Affected Products:FortiADC version 7.0.0 through 7.0.2FortiADC version 6.2.0 through 6.2.3FortiADC version 6.1.0 through 6.1.6FortiADC version 6.0.0 through 6.0.4FortiADC version 5.4.0 through 5.4.5FortiADC version 5.3.0 through 5.3.7FortiADC version 5.2.0 through 5.2.8FortiADC version 5.1.0 through 5.1.7FortiADC version 5.0.0 through 5.0.4 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-234 CVSS Score:5.2 FortiSOAR – PostgreSQL DB access to local usersAdvisory Summary:Unprotected Postgres DB in FortiSOAR Affected Products:FortiSOAR version 7.2.0 through 7.2.2FortiSOAR version 7.0.0 through 7.0.3FortiSOAR version 6.4.0 through 6.4.4 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-216 CVSS Score:4.8 FortiADC – Persistent XSS in Log pagesAdvisory Summary:A remote unauthenticated attacker may inject a malicious payload in an HTTP request issued from a host behind FortiADC that is acting as a load balancer. Affected Products:FortiADC version 7.0.0 through 7.0.2FortiADC version 6.2.0 through 6.2.3 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-232 CVSS Score:8 FortiDeceptor – Reflected XSS vulnerability on Lure Resources pageAdvisory Summary:Reflected XSS vulnerability in FortiDeceptor Lure Resources page Affected Products:FortiDeceptor version 4.2.0FortiDeceptor version 4.1.0 through 4.1.1FortiDeceptor version 4.0.2 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-331 CVSS Score:7.3 FortiSIEM – Glassfish local credentials stored in plain textAdvisory Summary:Glassfish local password is hardcoded. Affected Products:At leastFortiSIEM version 6.4.0 through 6.4.1FortiSIEM version 6.3.0 through 6.3.3FortiSIEM version 6.2.0 through 6.2.1FortiSIEM version 6.1.0 through 6.1.2FortiSIEM version 5.4.0FortiSIEM version 5.3.0 through 5.3.3FortiSIEM version 5.2.5 through 5.2.8FortiSIEM version 5.2.1 through 5.2.2FortiSIEM version 5.1.0 through 5.1.3FortiSIEM version 5.0.0 through 5.0.1 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-064 CVSS Score:7.4 FortiTester – Undocumented shell commandAdvisory Summary:Undocumented shell command in FortiTester CLI Affected Products:FortiTester version 7.1.0FortiTester version 7.0.0FortiTester version 4.2.0FortiTester version 4.1.0 through 4.1.1FortiTester version 4.0.0FortiTester version 3.9.0 through 3.9.1FortiTester version 3.8.0FortiTester version 3.7.0 through 3.7.1FortiTester version 3.6.0FortiTester version 3.5.0 through 3.5.1FortiTester version 3.4.0FortiTester version 3.3.0 through 3.3.1FortiTester version 3.2.0FortiTester version 3.1.0FortiTester version 3.0.0FortiTester version 2.9.0FortiTester version 2.8.0FortiTester version 2.7.0FortiTester version 2.6.0FortiTester version 2.5.0FortiTester version 2.4.0 through 2.4.1FortiTester version 2.3.0 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-283 CVSS Score:6.5 FortiTester – Command injection in CLI commandAdvisory Summary:Command injection vulnerability in FortiTester CLI ping command Affected Products:FortiTester version 7.1.0FortiTester version 7.0.0FortiTester version 4.2.0FortiTester version 4.1.0 through 4.1.1FortiTester version 4.0.0FortiTester version 3.9.0 through 3.9.1FortiTester version 3.8.0FortiTester version 3.7.0 through 3.7.1FortiTester version 3.6.0FortiTester version 3.5.0 through 3.5.1FortiTester version 3.4.0FortiTester version 3.3.0 through 3.3.1FortiTester version 3.2.0FortiTester version 3.1.0FortiTester version 3.0.0 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-070 CVSS Score:7.4 FortiOS – RSA SSH host key lost at shutdownAdvisory Summary:RSA ssh host key are lost at reboot, increasing the success chances for man in the middle attacks. Affected Products:FortiOS version 7.2.0FortiOS version 7.0.6FortiOS version 6.4.9 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-228 CVSS Score:3.8 FortiEDR CollectorWindows – protection bypass by killing the process with special toolsAdvisory Summary:protection bypass by killing the process with special tools in FortiEDR CollectorWindows Affected Products:FortiEDR CollectorWindows version 5.1.0 FortiEDR CollectorWindows version 5.0.0 through 5.0.3.751 FortiEDR CollectorWindows version 4.0.0 through 4.1 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-218 CVSS Score:4 FortiADC – Stored XSS vulnerability in external resource pageAdvisory Summary:Stored XSS vulnerability in FortiADC external resource page Affected Products:FortiADC version 7.1.0 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-314 CVSS Score:7.5 FortiOS — Telnet on the SSL-VPN interface results in information leakAdvisory Summary:Sensitive information leakage when a telnet is performed on the SSL-VPN interface Affected Products:FortiOS version 7.2.0FortiOS version 7.0.0 through 7.0.6FortiOS version 6.4.0 through 6.4.9 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-223 CVSS Score:3.7 FortiClient (MAC) – FortiTray stores the SSLVPN password in cleartextAdvisory Summary:Cleartext credential storage in FortiTray process in FortiClientMAC Affected Products:FortiClientMac version 7.0.0 through 7.0.5 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-246 CVSS Score:2.2 FortiMail – Inter-domain information leakageAdvisory Summary:Inter-domain information leakage in FortiMail Affected Products:FortiMail version 7.2.0FortiMail version 7.0.0 through 7.0.3FortiMail version 6.4.0 through 6.4.7FortiMail version 6.2.0 through 6.2.9FortiMail version 6.0.0 through 6.0.12 Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-066 CVSS Score:5.1 AV Engine – evasion by manipulating MIME attachmentAdvisory Summary:AV Engine evasion vulnerability Affected Products:FortiOS running AV engine version 6.2.168 and below. FortiOS running AV engine version 6.4.274 and below. FortiMail running AV engine version 6.2.168 and below. FortiMail running AV engine version 6.4.274 and below. FortiClient running AV engine version 6.2.168 and below. FortiClient running AV engine version 6.4.274 and below. Fortinet Advisory:https://www.fortiguard.com/psirt/FG-IR-22-074 CVSS Score:4.3 |