February 2, 2023

Fortinet addressed 16 vulnerabilities in its products portfolio’s, in which  six flaws received a ‘high’ severity rating

One of the high-severity issues is a persistent XSS, tracked as CVE-2022-38374, in Log pages of FortiADC. The root cause of the issue is an improper neutralization of input during web page generation vulnerability in FortiADC. A remote, unauthenticated attacker can trigger the flaw to perform a stored cross-site scripting attack via HTTP fields observed in the traffic and event log views.

Another issue is a command injection in CLI command, tracked as CVE-2022-33870, of FortiTester. An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

Advertisements

Another issue, tracked as CVE-2022-26119, impacts FortiSIEM, the issue is described as Glassfish local credentials stored in plain text. A local attacker with command-line access can exploit the bug to perform operations on the Glassfish server directly via a hardcoded password.

Fortinet fixed vulnerabilities list

CVE-IDDescription
CVE-2022-38374An improper neutralization of input during web page generation (‘cross-site scripting’)
CVE-2022-35851An improper neutralization of input during web page generation vulnerability [CWE-79]
CVE-2022-39950An improper neutralization of input during web page generation vulnerability [CWE-79]
CVE-2022-38373An improper neutralization of input during web page generation vulnerability [CWE-79]
CVE-2022-33870An improper neutralization of special elements used in an OS command vulnerability [CWE-78]
CVE-2022-26119An improper authentication vulnerability
CVE-2022-38372A hidden functionality vulnerability [CWE-1242]
CVE-2022-39945An improper access control vulnerability [CWE-284]
CVE-2022-42473A missing authentication for a critical function vulnerability
CVE-2022-38381An improper handling of malformed request vulnerability [CWE-228]
CVE-2022-26122An insufficient verification of data authenticity vulnerability [CWE-345]
CVE-2022-39949An improper control of a resource through its lifetime vulnerability [CWE-664]
CVE-2022-38380An improper access control [CWE-284] vulnerability
CVE-2022-30307A key management error vulnerability [CWE-320]
CVE-2022-35842An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200]
CVE-2022-33878An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200]

Leave a Reply

%d bloggers like this: