Fortinet WAF Vulnerabilities discovered

COMPANY: Fortinet

HARDWARE DEVICE(s): Fortiweb Web Application Firewalls (WAF)


CVEs: CVE-2020-29015, CVE-2020-29016, CVE-2020-29019 and CVE-2020-29018

OFFICIAL CVSS: 6.4 — (Disputed by researcher: The CVE CVE-2020-29016 can allow code execution to be enabled, which means a CVSS of 9+ typically.)

NOTES: The vulnerabilities were discovered in the FortiWeb administration interface. The researcher said the vulnerability disclosure process took 120 days.