One of the high-severity issues is a persistent XSS, tracked as CVE-2022-38374, in Log pages of FortiADC. The root cause of the issue is an improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC. A remote, unauthenticated attacker can trigger the flaw to perform a stored cross-site scripting (XSS) attack via HTTP fields observed in the traffic and event logviews.
Another issue addressed by the company is a command injection in CLI command, tracked as CVE-2022-33870, of FortiTester.
“An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiTester may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.” reads the advisory.
Another issue, tracked as CVE-2022-26119, impacts FortiSIEM, the issue is described as “Glassfish local credentials stored in plain text.”
A local attacker with command-line access can exploit the bug to perform operations on the Glassfish server directly via a hardcoded password.
The full list of vulnerabilities addressed in November 2022 is available here.
In October, Fortinet confirmed that the critical authentication bypass issue, tracked as CVE-2022-40684, is being exploited in the wild. The issue impacted FortiGate firewalls and FortiProxy web proxies.
An attacker can exploit the vulnerability to log into vulnerable devices.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Fortinet)
[adrotate banner=”5″]
[adrotate banner=”13″]
Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…
A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…
Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…
Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…
CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…
This website uses cookies.