FortiAnalyzer & FortiManager - OS command injection vulnerability in CLI
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiAnalyzer & FortiManager may allow an authenticated attacker to execute arbitrary shell code as `root` user via `diagnose system` CLI commands.
Affected ProductsAt least
FortiManager version 7.0.0 through 7.0.3
FortiManager version 6.4.0 through 6.4.7
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.0.0 through 6.0.11
FortiAnalyzer version 7.0.0 through 7.0.3
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer 6.2 all versions
FortiAnalyzer 6.0 all versions
Upgrade to FortiAnalyzer version 7.2.0 or above,
Upgrade to FortiAnalyzer version 7.0.4 or above,
Upgrade to FortiAnalyzer version 6.4.8 or above.
Upgrade to FortiManager version 7.2.0 or above,
Upgrade to FortiManager version 7.0.4 or above,
Upgrade to FortiManager version 6.4.8 or above.