11 important vulnerabilities in Fortinet products FortiOS, FortiAnalyzer, FortiADC, FortiManager, FortiProxy, FortiClient, FortiDeceptor, FortiSwitch, FortiRecoder & FortiVoiceEnterprise 

Fortinet, an American multinational corporation headquartered in Sunnyvale, California. The company develops and sells cybersecurity solutions, such as physical firewalls, antivirus software, intrusion prevention systems, and endpoint security components. Fortinet has addressed a raft of security vulnerabilities affecting several of its endpoint security products.The following is a list of advisories for issues resolved in Fortinet products. 

CVE-2022-26120 : FortiADC – Multiple SQL Injection vulnerabilities in the management interface


Multiple improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerabilities in FortiADC 

 CVE-2022-27483 : FortiAnalyzer & FortiManager – OS command injection vulnerability in CLI


An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability in FortiManager

CVE-2021-43072 : FortiAnalyzer/FortiManager/FortiOS/FortiProxy – stack-based buffer overflow via crafted CLI execute command


A buffer copy without checking size of input (‘Classic Buffer Overflow’)  vulnerability in FortiAnalyzer/FortiManager/FortiOS/FortiProxy 

CVE-2021-4103: FortiClient (Windows) – Privilege Escalation via directory traversal attack


A relative path traversal vulnerability in FortiClient for Windows may allow a local unprivileged attacker to escalate privileges 

 CVE-2022-30302: FortiDeceptor – Path traversal vulnerability


Multiple relative path traversal vulnerabilities  in FortiDeceptor management interface may allow a remote and authenticated user to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests.

CVE-2022-29057: FortiEDR – Cross Site Scripting (XSS) vulnerabilities over the Management Console


An improper neutralization of input during web page generation vulnerability in FortiEDR Central Manager 

CVE-2022-26118 : FortiManager & FortiAnalyzer – Privilege escalation vulnerability


A privilege chaining vulnerability  in FortiManager and FortiAnalyzer may allow a local and authenticated user to attack

CVE-2022-26117: FortiNAC – Unprotected MySQL root account


An empty password in configuration file vulnerability in FortiNAC may allow an authenticated attacker to access the database.

CVE-2021-44170: FortiOS & FortiProxy – Stack-based buffer overflows in diagnostic CLI commands


A stack-based buffer overflow vulnerability in the command line interpreter of FortiOS and FortiProxy may allow code injection. 

CVE-2022-23438: FortiOS — XSS vulnerability observed in the authentication replacement pages


An improper neutralization of input during web page generation (‘Cross-site Scripting’)  vulnerability in FortiOS.

CVE-2021-42755: Multiple products – Integer overflow in dhcpd daemon


An integer overflow / wraparound vulnerability  in the FortiOS, FortiProxy, FortiSwitch, FortiRecoder, and FortiVoiceEnterprise