• 0 800 357272
  • Адрес электронной почты защищен от спам-ботов. Для просмотра адреса в вашем браузере должен быть включен Javascript.
  • Пн-Пт 09:00-18:00

PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
  1. An information disclosure vulnerability [CWE-200] in FortiAnalyzer and FortiManager VM may allow an authenticated attacker to read the FortiCloud credentials which were used to activate the trial license in cleartext.
  2. An improper neutralization of input vulnerability [CWE-79] in FortiWebManager may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device.
  3. An insufficiently protected credentials vulnerability [CWE-522] in FortiSDNConnector may allow an authenticated user to obtain third party device credentials via visiting the configuration page in the WebUI.
  4. A path traversal vulnerability [CWE-22] in FortiClientEMS may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.
  5. An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks.
  6. An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
  7. A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox may allow an authenticated attacker to potentially execute unauthorized code or commands via specifically crafted HTTP requests.
  8. An improper authentication vulnerability [CWE-287] in FortiManager may allow a standard user to assign or un-assign a global policy package via a POST request to flatui/json module.
  9. An improper neutralization of formula elements vulnerability (CWE 1236) in FortiManager may allow a local authenticated privileged attacker to execute arbitrary shell code on the end-user's host via inserting CSV formula in the policy names. This is achieved once the user downloads and opens the configuration csv/xls* file.
  10. An insufficient session expiration vulnerability [CWE-613] in FortiSandbox may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
© 2004 - 2021
Used.Net.UA
All Rights Reserved