FortiAnalyzer - CSV injection in macro name
Summary
An improper neutralization of formula elements vulnerability (CWE 1236) in FortiAnalyzer may allow a local authenticated privileged attacker to execute arbitrary code on the end-user's host via inserting spreadsheet formulas in the macro names. This is achieved once the user downloads and opens the CSV report files.
Version | Affected | Solution |
---|---|---|
FortiAnalyzer 7.2 | 7.2.0 through 7.2.1 | Upgrade to 7.2.2 or above |
FortiAnalyzer 7.0 | 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above |
FortiAnalyzer 6.4 | 6.4 all versions | Migrate to a fixed release |