PSIRT Advisories

FortiPortal - Pervasive SQL injections


Multiple improper neutralization of special elements used in an SQL command vulnerabilities (CWE-89) in FortiPortal may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests.

Affected Products

FortiPortal 6.0.4 and below. 
FortiPortal 5.3.5 and below.
FortiPortal 5.2.5 and below.
FortiPortal 5.1.2 and below.
FortiPortal 5.0.3 and below.
FortiPortal 4.2.4 and below.
FortiPortal 4.1.2 and below.
FortiPortal 4.0.4 and below.
FortiPortal 3.2.2 and below.


Upgrade to FortiPortal 6.0.5 or above.
Upgrade to FortiPortal 5.3.6 or above.
Upgrade to FortiPortal 5.2.6 or above.
Fix for versions 5.1, 5.0, 4.2, 4.1, 4.0 and 3.2 to be confirmed.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.