{"uuid": "095373a5-9369-47a8-addc-a3cc46dc2b41", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Fortinet - November 12 2024 - advisories", "description": "\n\nFG-IR-24-115 Arbitrary file read in administrative interface\nCVE-2024-32117\n\nAn improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22]...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nGUI\n\nGUI\n\nMedium Severity\n\nFG-IR-24-032 FortiOS - Improper authentication in fgfmd\nCVE-2024-26011\n\nAn improper authentication vulnerability [CWE-287] in FortiManager, FortiOS, FortiPAM, FortiPortal,...\n\nFortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.4, 7.2.3 ... FortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.7 ... FortiPAM 1.2.0, 1.1.2, 1.1.1, 1.1.0, 1.0.3 ... FortiPortal 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10 ... FortiProxy 7.4.2, 7.4.1, 7.4.0, 7.2.9, 7.2.8 ... FortiSwitchManager 7.2.3, 7.2.2, 7.2.1, 7.2.0, 7.0.3 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nMedium Severity\n\nFG-IR-23-475 FortiOS - SSLVPN session hijacking using SAML authentication\nCVE-2023-50176\n\nA session fixation vulnerability [CWE-384] in FortiOS may allow an unauthenticated attacker to hijack user...\n\nFortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.7 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nSSL-VPN\n\nSSL-VPN\n\nHigh Severity\n\nFG-IR-24-125 Heap buffer overflow in httpd\nCVE-2024-33505\n\nA heap-based buffer overflow vulnerability [CWE-122] in FortiManager and FortiAnalyzer httpd daemon may...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer Cloud 7.4.2, 7.4.1, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiManager Cloud 7.4.2, 7.4.1, 7.2.6, 7.2.5, 7.2.4 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nGUI\n\nGUI\n\nMedium Severity\n\nFG-IR-23-267 Lack of capacity to filter logs by administrator access\nCVE-2023-44255\n\nAn Exposure of personal information to an unauthorized actor [CWE-359] in FortiManager, FortiAnalyzer &...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ... FortiAnalyzer-BigData 7.4.0, 7.2.8, 7.2.7, 7.2.6, 7.2.5 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nGUI\n\nGUI\n\nLow Severity\n\nFG-IR-24-116 OS command injection in CLI command\nCVE-2024-32118\n\nAn improper neutralization of special elements used in an OS command ('OS Command Injection')...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nCLI\n\nCLI\n\nMedium Severity\n\nFG-IR-24-099 Path traversal vulnerability in CLI commands\nCVE-2024-32116\n\nMultiple relative path traversal vulnerabilities [CWE-23] in FortiManager, FortiAnalyzer &...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nCLI\n\nCLI\n\nMedium Severity\n\nFG-IR-24-179 Path traversal vulnerability leading to file creation\nCVE-2024-35274\n\nAn improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22]...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ... FortiAnalyzer-BigData 7.4.0, 7.2.8, 7.2.7, 7.2.6, 7.2.5 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.8, 7.2.7 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nCLI\n\nCLI\n\nLow Severity\n\nFG-IR-23-396 Readonly users could run some sensitive operations\nCVE-2024-23666\n\nA client-side enforcement of server-side security vulnerability [CWE-602] in FortiAnalyzer may allow an...\n\nFortiAnalyzer 7.4.1, 7.4.0, 7.2.4, 7.2.3, 7.2.2 ... FortiAnalyzer-BigData 7.4.0, 7.2.6, 7.2.5, 7.2.4, 7.2.3 ... FortiManager 7.4.1, 7.4.0, 7.2.4, 7.2.3, 7.2.2 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nHigh Severity\n\nFG-IR-24-033 SSLVPN WEB UI Text injection\nCVE-2024-33510\n\nAn improper neutralization of special elements in output used by a downstream component ('Injection')...\n\nFortiOS 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.8 ... FortiProxy 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.9 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024\n\nGUI\n\nGUI\n\nLow Severity\n\nFG-IR-24-098 Stack buffer overflow in CLI command\nCVE-2024-31496\n\nA stack-based buffer overflow vulnerability [CWE-121] in FortiManager, FortiAnalyzer and...\n\nFortiAnalyzer 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ... FortiAnalyzer-BigData 7.4.0, 7.2.7, 7.2.6, 7.2.5, 7.2.4 ... FortiManager 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4 ...\n\nPublished:\nNov 12, 2024\n\nPublished: Nov 12, 2024 ", "creation_timestamp": "2024-11-13T15:13:17.127651+00:00", "timestamp": "2024-11-13T15:13:17.127651+00:00", "related_vulnerabilities": ["CVE-2024-35274", "CVE-2024-23666", "CVE-2024-33510", "CVE-2024-32118", "CVE-2024-33505", "CVE-2024-32117", "CVE-2024-32116", "CVE-2024-31496", "CVE-2023-44255", "CVE-2024-26011", "CVE-2023-50176"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}