FortiWeb - OS command injection due to direct input interpolation in API controllers
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute arbitrary code or commands via crafted HTTP requests to ApplicationDelivery, JsonProtection and WebProtection controllers.
FortiWeb version 6.4.1 and below
FortiWeb version 6.3.16 and below
FortiWeb version 6.2.6 and below
Upgrade to the upcoming FortiWeb version 7.0.0 or above
Upgrade to FortiWeb version 6.4.2 or above
Upgrade to FortiWeb version 6.3.17 or above
Upgrade to FortiWeb version 6.2.7 or above
Fix for FortiWeb versions 6.1, 6.0, 5.9 to be confirmed.