FortiPortal - Schedule System Backup Page OS Command Injection
Summary
An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.
Version | Affected | Solution |
---|---|---|
FortiPortal 7.2 | 7.2.0 | Upgrade to 7.2.1 or above |
FortiPortal 7.0 | 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above |
FortiPortal 6.0 | Not affected | Not Applicable |
FortiPortal 5.3 | Not affected | Not Applicable |
Acknowledgement
Internally discovered and reported by Gary Chung of Fortinet Burnaby FortiPortal team.Timeline
2023-12-11: Initial publication