SQL Injection

Summary

Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.

Affected Products

FortiNAC version 9.2.0 through 9.2.2
FortiNAC version 9.1.0 through 9.1.5
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

Solutions

Upgrade to FortiNAC version 10.0.0 or above,
Upgrade to FortiNAC version 9.4.0 or above,
Upgrade to FortiNAC version 9.2.3 or above,
Upgrade to FortiNAC version 9.1.6 or above,

Acknowledgement

Internally discovered and reported by Giulia Clerici of the Fortinet Product Security team.

Timeline

2022-05-03: Initial publication