Fortinet – November 2022 Vulnerability Advisories

Fortinet ranjivosti  – 11. mjesec. Detektirano je 16 ranjivosti od kojih je 6 klasificirano sa “high severity”.

Provjerite pogođene sustave i ranjivosti i redovito radite update operativnih sustava.

 

FortiManager/FortiAnalyzer – XSS Vulnerability in Report Templates

Advisory Summary:

An XSS attack can be conducted via a crafted CKeditor “protected” comment in the report templates.

Affected Products:

FortiAnalyzer version 7.0.0 through 7.0.4FortiAnalyzer version 6.4.0 through 6.4.8FortiAnalyzer 6.2 all versions

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-21-228

CVSS Score:

7.6

FortiADC – WAF XSS Injection Bypass

Advisory Summary:

Protection bypass in FortiADC

Affected Products:

FortiADC version 7.0.0 through 7.0.2FortiADC version 6.2.0 through 6.2.3FortiADC version 6.1.0 through 6.1.6FortiADC version 6.0.0 through 6.0.4FortiADC version 5.4.0 through 5.4.5FortiADC version 5.3.0 through 5.3.7FortiADC version 5.2.0 through 5.2.8FortiADC version 5.1.0 through 5.1.7FortiADC version 5.0.0 through 5.0.4

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-234

CVSS Score:

5.2

FortiSOAR – PostgreSQL DB access to local users

Advisory Summary:

Unprotected Postgres DB in FortiSOAR

Affected Products:

FortiSOAR version 7.2.0 through 7.2.2FortiSOAR version 7.0.0 through 7.0.3FortiSOAR version 6.4.0 through 6.4.4

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-216

CVSS Score:

4.8

FortiADC – Persistent XSS in Log pages

Advisory Summary:

A remote unauthenticated attacker may inject a malicious payload in an HTTP request issued from a host behind FortiADC that is acting as a load balancer.

Affected Products:

FortiADC version 7.0.0 through 7.0.2FortiADC version 6.2.0 through 6.2.3

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-232

CVSS Score:

8

FortiDeceptor – Reflected XSS vulnerability on Lure Resources page

Advisory Summary:

Reflected XSS vulnerability in FortiDeceptor Lure Resources page

Affected Products:

FortiDeceptor version 4.2.0FortiDeceptor version 4.1.0 through 4.1.1FortiDeceptor version 4.0.2

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-331

CVSS Score:

7.3

FortiSIEM – Glassfish local credentials stored in plain text

Advisory Summary:

Glassfish local password is hardcoded.

Affected Products:

At leastFortiSIEM version 6.4.0 through 6.4.1FortiSIEM version 6.3.0 through 6.3.3FortiSIEM version 6.2.0 through 6.2.1FortiSIEM version 6.1.0 through 6.1.2FortiSIEM version 5.4.0FortiSIEM version 5.3.0 through 5.3.3FortiSIEM version 5.2.5 through 5.2.8FortiSIEM version 5.2.1 through 5.2.2FortiSIEM version 5.1.0 through 5.1.3FortiSIEM version 5.0.0 through 5.0.1

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-064

CVSS Score:

7.4

FortiTester – Undocumented shell command

Advisory Summary:

Undocumented shell command in FortiTester CLI

Affected Products:

FortiTester version 7.1.0FortiTester version 7.0.0FortiTester version 4.2.0FortiTester version 4.1.0 through 4.1.1FortiTester version 4.0.0FortiTester version 3.9.0 through 3.9.1FortiTester version 3.8.0FortiTester version 3.7.0 through 3.7.1FortiTester version 3.6.0FortiTester version 3.5.0 through 3.5.1FortiTester version 3.4.0FortiTester version 3.3.0 through 3.3.1FortiTester version 3.2.0FortiTester version 3.1.0FortiTester version 3.0.0FortiTester version 2.9.0FortiTester version 2.8.0FortiTester version 2.7.0FortiTester version 2.6.0FortiTester version 2.5.0FortiTester version 2.4.0 through 2.4.1FortiTester version 2.3.0

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-283

CVSS Score:

6.5

FortiTester – Command injection in CLI command

Advisory Summary:

Command injection vulnerability in FortiTester CLI ping command

Affected Products:

FortiTester version 7.1.0FortiTester version 7.0.0FortiTester version 4.2.0FortiTester version 4.1.0 through 4.1.1FortiTester version 4.0.0FortiTester version 3.9.0 through 3.9.1FortiTester version 3.8.0FortiTester version 3.7.0 through 3.7.1FortiTester version 3.6.0FortiTester version 3.5.0 through 3.5.1FortiTester version 3.4.0FortiTester version 3.3.0 through 3.3.1FortiTester version 3.2.0FortiTester version 3.1.0FortiTester version 3.0.0

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-070

CVSS Score:

7.4

FortiOS – RSA SSH host key lost at shutdown

Advisory Summary:

RSA ssh host key are lost at reboot, increasing the success chances for man in the middle attacks.

Affected Products:

FortiOS version 7.2.0FortiOS version 7.0.6FortiOS version 6.4.9

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-228

CVSS Score:

3.8

FortiEDR CollectorWindows – protection bypass by killing the process with special tools

Advisory Summary:

protection bypass by killing the process with special tools in FortiEDR CollectorWindows

Affected Products:

FortiEDR CollectorWindows version 5.1.0 FortiEDR CollectorWindows version 5.0.0 through 5.0.3.751 FortiEDR CollectorWindows version 4.0.0  through 4.1

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-218

CVSS Score:

4

FortiADC – Stored XSS vulnerability in external resource page

Advisory Summary:

Stored XSS vulnerability in FortiADC external resource page

Affected Products:

FortiADC version 7.1.0

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-314

CVSS Score:

7.5

FortiOS — Telnet on the SSL-VPN interface results in information leak

Advisory Summary:

Sensitive information leakage when a telnet is performed on the SSL-VPN interface

Affected Products:

FortiOS version 7.2.0FortiOS version 7.0.0 through 7.0.6FortiOS version 6.4.0 through 6.4.9

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-223

CVSS Score:

3.7

FortiClient (MAC) – FortiTray stores the SSLVPN password in cleartext

Advisory Summary:

Cleartext credential storage in FortiTray process in FortiClientMAC

Affected Products:

FortiClientMac version 7.0.0 through 7.0.5

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-246

CVSS Score:

2.2

FortiMail – Inter-domain information leakage

Advisory Summary:

Inter-domain information leakage in FortiMail

Affected Products:

FortiMail version 7.2.0FortiMail version 7.0.0 through 7.0.3FortiMail version 6.4.0 through 6.4.7FortiMail version 6.2.0 through 6.2.9FortiMail version 6.0.0 through 6.0.12

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-066

CVSS Score:

5.1

AV Engine – evasion by manipulating MIME attachment

Advisory Summary:

AV Engine evasion vulnerability

Affected Products:

FortiOS running AV engine version 6.2.168 and below. FortiOS running AV engine version 6.4.274 and below. FortiMail running AV engine version 6.2.168 and below. FortiMail running AV engine version 6.4.274 and below. FortiClient running AV engine version 6.2.168 and below. FortiClient running AV engine version 6.4.274 and below.

Fortinet Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-074

CVSS Score:

4.3

 

Share this post