FortiWeb - Command injection in CLI backup functionality

Summary

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters.

Affected Products

FortiWeb version 7.0.0 through 7.0.1
FortiWeb version 6.3.6 through 6.3.18
FortiWeb 6.4 all versions

Solutions

Please upgrade to FortiWeb version 7.0.2 or above
Please upgrade to FortiWeb version 6.3.19 or above