fortinet

fortiauthenticator

16 known vulnerabilities · sorted by CVSS score

CVE-2021-43067

A exposure of sensitive information to an unauthorized actor in Fortinet FortiAuthenticator version 6.4.0, version 6.3.2 and below, version 6.2.1 and below, version 6.1.2 and below, version 6.0.7 to 6.0.1 allows attacker to duplicate a target LDAP user 2 factors authentication token via crafted HTTP requests.

fortinet / fortiauthenticator+9

Network

Published Dec 8, 2021

CVE-2021-22124

HIGH7.5

An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters.

fortinet / fortiauthenticator+5

Network

Published Aug 4, 2021

CVE-2026-21743

HIGH7.2

A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint.

fortinet / fortiauthenticator

Network

Published Feb 10, 2026

CVE-2021-26116

MEDIUM6.7

An improper neutralization of special elements used in an OS command vulnerability in the command line interpreter of FortiAuthenticator before 6.3.1 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

fortinet / fortiauthenticator

Local

Published Apr 6, 2022

CVE-2024-23664

MEDIUM6.1

A URL redirection to untrusted site ('open redirect') in Fortinet FortiAuthenticator version 6.6.0, version 6.5.3 and below, version 6.4.9 and below may allow an attacker to to redirect users to an arbitrary website via a crafted URL.

fortinet / fortiauthenticator+1

Network

Published Jun 3, 2024

CVE-2018-9186

MEDIUM6.1

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.

fortinet / fortiauthenticator

Network

Published May 31, 2018

CVE-2019-16154

MEDIUM6.1

An improper neutralization of input during web page generation in FortiAuthenticator WEB UI 6.0.0 may allow an unauthenticated user to perform a cross-site scripting attack (XSS) via a parameter of the logon page.

fortinet / fortiauthenticator

Network

Published Jan 7, 2020

CVE-2021-43068

MEDIUM5.4

A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal.

fortinet / fortiauthenticator

Network

Published Dec 9, 2021

CVE-2022-22302

MEDIUM5.3

A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.

fortinet / fortiauthenticator+6

Network

Published Jul 11, 2023

CVE-2022-23439

MEDIUM4.7

A externally controlled reference to a resource in another sphere vulnerability in Fortinet allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver

fortinet / fortiadc+18

Network

Published Jan 22, 2025

CVE-2022-35850

MEDIUM4.3

An improper neutralization of script-related HTML tags in a web page vulnerability [CWE-80] in FortiAuthenticator versions 6.4.0 through 6.4.4, 6.3.0 through 6.3.3, all versions of 6.2 and 6.1 may allow a remote unauthenticated attacker to trigger a reflected cross site scripting (XSS) attack via the "reset-password" page.

fortinet / fortiauthenticator+1

Network

Published Apr 11, 2023

CVE-2021-36177

MEDIUM4.2

An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.

fortinet / fortiauthenticator

Adjacent

Published Feb 2, 2022

CVE-2021-24005

MEDIUM4.0

Usage of hard-coded cryptographic keys to encrypt configuration files and debug logs in FortiAuthenticator versions before 6.3.0 may allow an attacker with access to the files or the CLI configuration to decrypt the sensitive data, via knowledge of the hard-coded key.

fortinet / fortiauthenticator

Local

Published Jul 6, 2021

CVE-2023-26208

LOW3.7

A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

fortinet / fortiauthenticator

Network

Published Mar 9, 2023

CVE-2025-59923

LOW2.7

An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests.

fortinet / fortiauthenticator

Network

Published Dec 9, 2025

CVE-2025-57823

LOW2.7

A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints

fortinet / fortiauthenticator

Network

Published Dec 9, 2025