The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Fortinet FortiGate Virtual Appliance

computer vulnerability note CVE-2017-7738

FortiOS: information disclosure via fnsysctl

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via fnsysctl of FortiOS, in order to obtain sensitive information.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 1/4.
Consequences: data reading.
Provenance: privileged account.
Creation date: 11/12/2017.
Identifiers: CERTFR-2017-AVI-459, CVE-2017-7738, FG-IR-17-172, VIGILANCE-VUL-24729.

Description of the vulnerability

An attacker can bypass access restrictions to data via fnsysctl of FortiOS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-7739

FortiOS: Cross Site Scripting via Web Proxy Disclaimer

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Web Proxy Disclaimer of FortiOS, in order to run JavaScript code in the context of the web site.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/11/2017.
Identifiers: CERTFR-2017-AVI-392, CVE-2017-7739, FG-IR-17-168, VIGILANCE-VUL-24351.

Description of the vulnerability

The FortiOS product offers a web service.

However, it does not filter received data via Web Proxy Disclaimer before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Web Proxy Disclaimer of FortiOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-7733

FortiOS: Cross Site Scripting via Login Disclaimer

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Login Disclaimer of FortiOS, in order to run JavaScript code in the context of the web site.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 25/10/2017.
Identifiers: CVE-2017-7733, FG-IR-17-113, VIGILANCE-VUL-24233.

Description of the vulnerability

The FortiOS product offers a web service.

However, it does not filter received data via Login Disclaimer before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Login Disclaimer of FortiOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-14182

FortiOS: denial of service via "params" Parameter

Synthesis of the vulnerability

An attacker can generate a fatal error via "params" Parameter of FortiOS, in order to trigger a denial of service.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 25/10/2017.
Identifiers: CVE-2017-14182, FG-IR-17-206, VIGILANCE-VUL-24232.

Description of the vulnerability

An attacker can generate a fatal error via "params" Parameter of FortiOS, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-3130

FortiOS: information disclosure via IKE Vendor ID

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via IKE Vendor ID of FortiOS, in order to obtain sensitive information.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 09/08/2017.
Identifiers: CERTFR-2017-AVI-253, CVE-2017-3130, FG-IR-17-073, VIGILANCE-VUL-23483.

Description of the vulnerability

An attacker can bypass access restrictions to data via IKE Vendor ID of FortiOS, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 23482

FortiOS: security improvement via SMBv1 Support Disabled

Synthesis of the vulnerability

The security of FortiOS was improved via SMBv1 Support Disabled.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 1/4.
Consequences: no consequence.
Provenance: internet client.
Creation date: 09/08/2017.
Identifiers: CERTFR-2017-AVI-253, FG-IR-17-103, VIGILANCE-VUL-23482.

Description of the vulnerability

This bulletin is about a security improvement.

It does not describe a vulnerability.

The security of FortiOS was therefore improved via SMBv1 Support Disabled.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-3131 CVE-2017-3132 CVE-2017-3133

FortiOS: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of FortiOS, in order to run JavaScript code in the context of the web site.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 28/07/2017.
Identifiers: CERTFR-2017-AVI-240, CVE-2017-3131, CVE-2017-3132, CVE-2017-3133, FG-IR-17-104, VIGILANCE-VUL-23387.

Description of the vulnerability

The FortiOS product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of FortiOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-7734 CVE-2017-7735

Fortinet FortiOS: Cross Site Scripting via comments

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via comments in Fortinet FortiOS, in order to run JavaScript code in the context of the web site.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/06/2017.
Identifiers: CVE-2017-7734, CVE-2017-7735, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, VIGILANCE-VUL-22984.

Description of the vulnerability

The Fortinet FortiOS product offers a web service.

However, it does not filter received data for comments before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via comments in Fortinet FortiOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-3128

FortiOS: Cross Site Scripting via Policy Global-label Parameter

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Policy Global-label Parameter of FortiOS, in order to run JavaScript code in the context of the web site.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/05/2017.
Identifiers: CVE-2017-3128, FG-IR-17-057, VIGILANCE-VUL-22763.

Description of the vulnerability

The FortiOS product offers a web service.

However, it does not filter received data via Policy Global-label Parameter before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Policy Global-label Parameter of FortiOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-3127

FortiOS: Cross Site Scripting via srcintf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via srcintf of FortiOS, in order to run JavaScript code in the context of the web site.
Impacted products: FortiGate, FortiGate Virtual Appliance, FortiOS.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/04/2017.
Identifiers: CVE-2017-3127, FG-IR-17-017, VIGILANCE-VUL-22570.

Description of the vulnerability

The FortiOS product offers a web service.

However, it does not filter received data via srcintf before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via srcintf of FortiOS, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Fortinet FortiGate Virtual Appliance: