
Fortinet addressed 16 vulnerabilities in its products portfolio’s, in which  six flaws received a ‘high’ severity rating
One of the high-severity issues is a persistent XSS, tracked as CVE-2022-38374, in Log pages of FortiADC. The root cause of the issue is an improper neutralization of input during web page generation vulnerability in FortiADC. A remote, unauthenticated attacker can trigger the flaw to perform a stored cross-site scripting attack via HTTP fields observed in the traffic and event log views.
Another issue is a command injection in CLI command, tracked as CVE-2022-33870, of FortiTester. An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
Another issue, tracked as CVE-2022-26119, impacts FortiSIEM, the issue is described as Glassfish local credentials stored in plain text. A local attacker with command-line access can exploit the bug to perform operations on the Glassfish server directly via a hardcoded password.
Fortinet fixed vulnerabilities list
CVE-ID | Description |
CVE-2022-38374 | An improper neutralization of input during web page generation (‘cross-site scripting’) |
CVE-2022-35851 | An improper neutralization of input during web page generation vulnerability [CWE-79] |
CVE-2022-39950 | An improper neutralization of input during web page generation vulnerability [CWE-79] |
CVE-2022-38373 | An improper neutralization of input during web page generation vulnerability [CWE-79] |
CVE-2022-33870 | An improper neutralization of special elements used in an OS command vulnerability [CWE-78] |
CVE-2022-26119 | An improper authentication vulnerability |
CVE-2022-38372 | A hidden functionality vulnerability [CWE-1242] |
CVE-2022-39945 | An improper access control vulnerability [CWE-284] |
CVE-2022-42473 | A missing authentication for a critical function vulnerability |
CVE-2022-38381 | An improper handling of malformed request vulnerability [CWE-228] |
CVE-2022-26122 | An insufficient verification of data authenticity vulnerability [CWE-345] |
CVE-2022-39949 | An improper control of a resource through its lifetime vulnerability [CWE-664] |
CVE-2022-38380 | An improper access control [CWE-284] vulnerability |
CVE-2022-30307 | A key management error vulnerability [CWE-320] |
CVE-2022-35842 | An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] |
CVE-2022-33878 | An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] |