Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for Fortinet FortiManager by Fortinet

    CVE-2022-22303 (GCVE-0-2022-22303)

    Vulnerability from nvd – Published: 2022-03-02 10:00 – Updated: 2024-10-22 21:00
    VLAI
    Summary
    An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Information disclosure
    Assigner
    References
    URL Tags
    https://fortiguard.com/psirt/FG-IR-21-165 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:07:50.277Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/psirt/FG-IR-21-165"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-22303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-22T20:19:46.875450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-22T21:00:31.912Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 2.8,
                "temporalSeverity": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-02T10:00:12.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/psirt/FG-IR-21-165"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2022-22303",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "High",
                "attackVector": "Local",
                "availabilityImpact": "None",
                "baseScore": 2.8,
                "baseSeverity": "Low",
                "confidentialityImpact": "Low",
                "integrityImpact": "None",
                "privilegesRequired": "Low",
                "scope": "Changed",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/psirt/FG-IR-21-165",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/psirt/FG-IR-21-165"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2022-22303",
        "datePublished": "2022-03-02T10:00:12.000Z",
        "dateReserved": "2022-01-03T00:00:00.000Z",
        "dateUpdated": "2024-10-22T21:00:31.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-36192 (GCVE-0-2021-36192)

    Vulnerability from nvd – Published: 2021-11-03 10:17 – Updated: 2024-10-25 13:43
    VLAI
    Summary
    An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Information disclosure
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-21-103 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:54:50.127Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-21-103"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-36192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:57:51.717117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:43:18.652Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "UNAVAILABLE",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 5.1,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:U/RC:C",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-03T10:17:20.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-21-103"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-36192",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Local",
                "availabilityImpact": "None",
                "baseScore": 5.1,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Changed",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:U/RC:C",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-21-103",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-21-103"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-36192",
        "datePublished": "2021-11-03T10:17:20.000Z",
        "dateReserved": "2021-07-06T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:43:18.652Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26107 (GCVE-0-2021-26107)

    Vulnerability from nvd – Published: 2021-11-02 17:51 – Updated: 2024-10-25 13:47
    VLAI
    Summary
    An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-21-043 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.5, 6.4.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.419Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-21-043"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26107",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:01.867833Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:47:55.852Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.5, 6.4.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "WORKAROUND",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 6.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:H/RL:W/RC:C",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-02T17:51:44.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-21-043"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-26107",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.5, 6.4.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "availabilityImpact": "Low",
                "baseScore": 6.2,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:H/RL:W/RC:C",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper access control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-21-043",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-21-043"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-26107",
        "datePublished": "2021-11-02T17:51:44.000Z",
        "dateReserved": "2021-01-25T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:47:55.852Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24017 (GCVE-0-2021-24017)

    Vulnerability from nvd – Published: 2021-09-30 15:21 – Updated: 2024-10-25 13:49
    VLAI
    Summary
    An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-20-189 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.3, 6.2.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:10.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-20-189"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-24017",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:15.789961Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:49:47.782Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.3, 6.2.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "UNCHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:H/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-30T15:21:03.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-20-189"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-24017",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.3, 6.2.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "availabilityImpact": "Low",
                "baseScore": 5.4,
                "baseSeverity": "Medium",
                "confidentialityImpact": "None",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:H/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper access control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-20-189",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-20-189"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-24017",
        "datePublished": "2021-09-30T15:21:03.000Z",
        "dateReserved": "2021-01-13T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:49:47.782Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24016 (GCVE-0-2021-24016)

    Vulnerability from nvd – Published: 2021-09-30 15:18 – Updated: 2024-10-25 13:49
    VLAI
    Summary
    An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Execute unauthorized code or commands
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-20-190 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.3, 6.2.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:10.057Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-20-190"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-24016",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:16.962299Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:49:57.964Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.3, 6.2.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "PROOF_OF_CONCEPT",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 3.5,
                "temporalSeverity": "LOW",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Execute unauthorized code or commands",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-30T15:18:38.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-20-190"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-24016",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.3, 6.2.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "High",
                "attackVector": "Adjacent",
                "availabilityImpact": "None",
                "baseScore": 3.5,
                "baseSeverity": "Low",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "High",
                "scope": "Changed",
                "userInteraction": "Required",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Execute unauthorized code or commands"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-20-190",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-20-190"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-24016",
        "datePublished": "2021-09-30T15:18:38.000Z",
        "dateReserved": "2021-01-13T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:49:57.964Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24006 (GCVE-0-2021-24006)

    Vulnerability from nvd – Published: 2021-09-06 18:56 – Updated: 2024-10-25 13:50
    VLAI
    Summary
    An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Access Control
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-20-061 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.0 to 6.4.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:10.057Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-20-061"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-24006",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:19.648147Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:50:43.582Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.0 to 6.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "UNCHANGED",
                "temporalScore": 6.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-06T18:56:19.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-20-061"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-24006",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.0 to 6.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "availabilityImpact": "Low",
                "baseScore": 6.2,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-20-061",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-20-061"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-24006",
        "datePublished": "2021-09-06T18:56:19.000Z",
        "dateReserved": "2021-01-13T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:50:43.582Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-17654 (GCVE-0-2019-17654)

    Vulnerability from nvd – Published: 2020-03-15 22:20 – Updated: 2024-10-25 14:26
    VLAI
    Summary
    An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Access Control
    Assigner
    References
    URL Tags
    https://fortiguard.com/psirt/FG-IR-19-191 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: 6.2.1
    Affected: 6.2.0
    Affected: 6.0.6 and below
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T01:47:13.427Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/psirt/FG-IR-19-191"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-17654",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T20:03:40.280141Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T14:26:07.912Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.2.1"
                },
                {
                  "status": "affected",
                  "version": "6.2.0"
                },
                {
                  "status": "affected",
                  "version": "6.0.6 and below"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-15T22:20:58.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/psirt/FG-IR-19-191"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2019-17654",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "6.2.1"
                              },
                              {
                                "version_value": "6.2.0"
                              },
                              {
                                "version_value": "6.0.6 and below"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/psirt/FG-IR-19-191",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/psirt/FG-IR-19-191"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2019-17654",
        "datePublished": "2020-03-15T22:20:58.000Z",
        "dateReserved": "2019-10-16T00:00:00.000Z",
        "dateUpdated": "2024-10-25T14:26:07.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22303 (GCVE-0-2022-22303)

    Vulnerability from cvelistv5 – Published: 2022-03-02 10:00 – Updated: 2024-10-22 21:00
    VLAI
    Summary
    An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Information disclosure
    Assigner
    References
    URL Tags
    https://fortiguard.com/psirt/FG-IR-21-165 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:07:50.277Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/psirt/FG-IR-21-165"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-22303",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-22T20:19:46.875450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-22T21:00:31.912Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 2.8,
                "temporalSeverity": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-02T10:00:12.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/psirt/FG-IR-21-165"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2022-22303",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 7.0.2, 7.0.1, 7.0.0, 6.4.7, 6.4.6, 6.4.5, 6.4.4, 6.4.3, 6.4.2, 6.4.1, 6.4.0, 6.2.9, 6.2.8, 6.2.7, 6.2.6, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager versions prior to 7.0.2, 6.4.7 and 6.2.9 may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "High",
                "attackVector": "Local",
                "availabilityImpact": "None",
                "baseScore": 2.8,
                "baseSeverity": "Low",
                "confidentialityImpact": "Low",
                "integrityImpact": "None",
                "privilegesRequired": "Low",
                "scope": "Changed",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/psirt/FG-IR-21-165",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/psirt/FG-IR-21-165"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2022-22303",
        "datePublished": "2022-03-02T10:00:12.000Z",
        "dateReserved": "2022-01-03T00:00:00.000Z",
        "dateUpdated": "2024-10-22T21:00:31.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-36192 (GCVE-0-2021-36192)

    Vulnerability from cvelistv5 – Published: 2021-11-03 10:17 – Updated: 2024-10-25 13:43
    VLAI
    Summary
    An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Information disclosure
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-21-103 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:54:50.127Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-21-103"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-36192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:57:51.717117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:43:18.652Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "UNAVAILABLE",
                "reportConfidence": "CONFIRMED",
                "scope": "CHANGED",
                "temporalScore": 5.1,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:U/RC:C",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-03T10:17:20.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-21-103"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-36192",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiManager 7.0.1 and below, 6.4.6 and below, 6.2.x, 6.0.x, 5.6.0 may allow a FortiGate user to see scripts from other ADOMS."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Local",
                "availabilityImpact": "None",
                "baseScore": 5.1,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Changed",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:F/RL:U/RC:C",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-21-103",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-21-103"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-36192",
        "datePublished": "2021-11-03T10:17:20.000Z",
        "dateReserved": "2021-07-06T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:43:18.652Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26107 (GCVE-0-2021-26107)

    Vulnerability from cvelistv5 – Published: 2021-11-02 17:51 – Updated: 2024-10-25 13:47
    VLAI
    Summary
    An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-21-043 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.5, 6.4.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:19:19.419Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-21-043"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-26107",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:01.867833Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:47:55.852Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.5, 6.4.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "WORKAROUND",
                "reportConfidence": "CONFIRMED",
                "scope": "UNCHANGED",
                "temporalScore": 6.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:H/RL:W/RC:C",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-02T17:51:44.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-21-043"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-26107",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.5, 6.4.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "availabilityImpact": "Low",
                "baseScore": 6.2,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:H/RL:W/RC:C",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper access control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-21-043",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-21-043"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-26107",
        "datePublished": "2021-11-02T17:51:44.000Z",
        "dateReserved": "2021-01-25T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:47:55.852Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24017 (GCVE-0-2021-24017)

    Vulnerability from cvelistv5 – Published: 2021-09-30 15:21 – Updated: 2024-10-25 13:49
    VLAI
    Summary
    An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper access control
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-20-189 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.3, 6.2.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:10.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-20-189"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-24017",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:15.789961Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:49:47.782Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.3, 6.2.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitCodeMaturity": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "UNCHANGED",
                "temporalScore": 5.4,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:H/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper access control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-30T15:21:03.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-20-189"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-24017",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.3, 6.2.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "availabilityImpact": "Low",
                "baseScore": 5.4,
                "baseSeverity": "Medium",
                "confidentialityImpact": "None",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:H/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper access control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-20-189",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-20-189"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-24017",
        "datePublished": "2021-09-30T15:21:03.000Z",
        "dateReserved": "2021-01-13T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:49:47.782Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24016 (GCVE-0-2021-24016)

    Vulnerability from cvelistv5 – Published: 2021-09-30 15:18 – Updated: 2024-10-25 13:49
    VLAI
    Summary
    An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Execute unauthorized code or commands
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-20-190 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.3, 6.2.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:10.057Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-20-190"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-24016",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:16.962299Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:49:57.964Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.3, 6.2.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "PROOF_OF_CONCEPT",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "CHANGED",
                "temporalScore": 3.5,
                "temporalSeverity": "LOW",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Execute unauthorized code or commands",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-30T15:18:38.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-20-190"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-24016",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.3, 6.2.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "High",
                "attackVector": "Adjacent",
                "availabilityImpact": "None",
                "baseScore": 3.5,
                "baseSeverity": "Low",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "High",
                "scope": "Changed",
                "userInteraction": "Required",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Execute unauthorized code or commands"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-20-190",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-20-190"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-24016",
        "datePublished": "2021-09-30T15:18:38.000Z",
        "dateReserved": "2021-01-13T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:49:57.964Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24006 (GCVE-0-2021-24006)

    Vulnerability from cvelistv5 – Published: 2021-09-06 18:56 – Updated: 2024-10-25 13:50
    VLAI
    Summary
    An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Access Control
    Assigner
    References
    URL Tags
    https://fortiguard.com/advisory/FG-IR-20-061 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: FortiManager 6.4.0 to 6.4.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:14:10.057Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/advisory/FG-IR-20-061"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-24006",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-23T13:58:19.648147Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T13:50:43.582Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "FortiManager 6.4.0 to 6.4.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitCodeMaturity": "FUNCTIONAL",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "remediationLevel": "NOT_DEFINED",
                "reportConfidence": "NOT_DEFINED",
                "scope": "UNCHANGED",
                "temporalScore": 6.2,
                "temporalSeverity": "MEDIUM",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-09-06T18:56:19.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/advisory/FG-IR-20-061"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2021-24006",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "FortiManager 6.4.0 to 6.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An improper access control vulnerability in FortiManager versions 6.4.0 to 6.4.3 may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "availabilityImpact": "Low",
                "baseScore": 6.2,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "integrityImpact": "Low",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "userInteraction": "None",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/advisory/FG-IR-20-061",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/advisory/FG-IR-20-061"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2021-24006",
        "datePublished": "2021-09-06T18:56:19.000Z",
        "dateReserved": "2021-01-13T00:00:00.000Z",
        "dateUpdated": "2024-10-25T13:50:43.582Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-17654 (GCVE-0-2019-17654)

    Vulnerability from cvelistv5 – Published: 2020-03-15 22:20 – Updated: 2024-10-25 14:26
    VLAI
    Summary
    An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Access Control
    Assigner
    References
    URL Tags
    https://fortiguard.com/psirt/FG-IR-19-191 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    Fortinet Fortinet FortiManager Affected: 6.2.1
    Affected: 6.2.0
    Affected: 6.0.6 and below
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T01:47:13.427Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://fortiguard.com/psirt/FG-IR-19-191"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-17654",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-24T20:03:40.280141Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-25T14:26:07.912Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fortinet FortiManager",
              "vendor": "Fortinet",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.2.1"
                },
                {
                  "status": "affected",
                  "version": "6.2.0"
                },
                {
                  "status": "affected",
                  "version": "6.0.6 and below"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Access Control",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-15T22:20:58.000Z",
            "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
            "shortName": "fortinet"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://fortiguard.com/psirt/FG-IR-19-191"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@fortinet.com",
              "ID": "CVE-2019-17654",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fortinet FortiManager",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "6.2.1"
                              },
                              {
                                "version_value": "6.2.0"
                              },
                              {
                                "version_value": "6.0.6 and below"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Fortinet"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fortiguard.com/psirt/FG-IR-19-191",
                  "refsource": "CONFIRM",
                  "url": "https://fortiguard.com/psirt/FG-IR-19-191"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "assignerShortName": "fortinet",
        "cveId": "CVE-2019-17654",
        "datePublished": "2020-03-15T22:20:58.000Z",
        "dateReserved": "2019-10-16T00:00:00.000Z",
        "dateUpdated": "2024-10-25T14:26:07.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }