Check CVE Id
Check CWE Id
A Improper Access Control in Fortinet FortiOS allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
See advisories in our WLB2 database:
FortiGate FortiOS LDAP Credential Disclosure
CVSS Base Score
The URL part of the report message is not encoded in Fortinet FortiWeb 6.0.2 and below which may allow an attacker to execute unauthorized code or commands (Cross Site Scripting) via attack reports generated in HTML form.
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webU...
/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v220.127.116.11 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is r...
Dynacolor FCM-MB40 v18.104.22.168 devices have CSRF in all scripts under cgi-bin/.
Dynacolor FCM-MB40 v22.214.171.124 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info.
Dynacolor FCM-MB40 v126.96.36.199 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation.
Dynacolor FCM-MB40 v188.8.131.52 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrl_save_profile.cgi (save parameter) and cgi-bin/ddns.cgi.
Back to Top