Fortinet fixed 16 vulnerabilities, 6 rated as high severity

Fortinet addressed 16 vulnerabilities in some of the company’s products, six flaws received a ‘high’ severity rate.

One of the high-severity issues is a persistent XSS, tracked as CVE-2022-38374, in Log pages of FortiADC. The root cause of the issue is an improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC. A remote, unauthenticated attacker can trigger the flaw to perform a stored cross-site scripting (XSS) attack via HTTP fields observed in the traffic and event logviews.

Another issue addressed by the company is a command injection in CLI command, tracked as CVE-2022-33870, of FortiTester.

fortinet CVE-2022-40684

“An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.” reads the advisory.

Another issue, tracked as CVE-2022-26119, impacts FortiSIEM, the issue is described as “Glassfish local credentials stored in plain text.”

A local attacker with command-line access can exploit the bug to perform operations on the Glassfish server directly via a hardcoded password.

The full list of vulnerabilities addressed in November 2022 is available here.

In October, Fortinet confirmed that the critical authentication bypass issue, tracked as CVE-2022-40684, is being exploited in the wild. The issue impacted FortiGate firewalls and FortiProxy web proxies.

An attacker can exploit the vulnerability to log into vulnerable devices.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

The post Fortinet fixed 16 vulnerabilities, 6 rated as high severity appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source