Pierluigi Paganini November 03, 2022

Fortinet addressed 16 vulnerabilities in some of the company’s products, six flaws received a ‘high’ severity rate.

One of the high-severity issues is a persistent XSS, tracked as CVE-2022-38374, in Log pages of FortiADC. The root cause of the issue is an improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC. A remote, unauthenticated attacker can trigger the flaw to perform a stored cross-site scripting (XSS) attack via HTTP fields observed in the traffic and event logviews.

Another issue addressed by the company is a command injection in CLI command, tracked as CVE-2022-33870, of FortiTester.

“An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.” reads the advisory.

Another issue, tracked as CVE-2022-26119, impacts FortiSIEM, the issue is described as “Glassfish local credentials stored in plain text.”

A local attacker with command-line access can exploit the bug to perform operations on the Glassfish server directly via a hardcoded password.

The full list of vulnerabilities addressed in November 2022 is available here.

In October, Fortinet confirmed that the critical authentication bypass issue, tracked as CVE-2022-40684, is being exploited in the wild. The issue impacted FortiGate firewalls and FortiProxy web proxies.

An attacker can exploit the vulnerability to log into vulnerable devices.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

[adrotate banner=”5″]

[adrotate banner=”13″]