FortiWeb - OS Command Injection because of missing input parameter sanitization
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-047
Final
1
1
2021-09-07T00:00:00
Current version
2021-09-07T00:00:00
2021-09-07T00:00:00
Multiple improper neutralization of special elements vulnerabilities [CWE-89] used in a command in FortiWeb may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests.
None
Execute unauthorized code or commands
FortiWeb version 6.3.13 or below is impacted FortiWeb version 6.2.4 or below is impacted
Upgrade to FortiWeb 6.3.14 or above Upgrade to FortiWeb 6.2.5 or above
Fortinet is pleased to thank H4lo from DBappSecurity Co.,Ltd Hatlab for reporting this vulnerability under responsible disclosure.
FortiWeb 6.3.13
FortiWeb 6.3.12
FortiWeb 6.3.11
FortiWeb 6.3.10
FortiWeb 6.3.9
FortiWeb 6.3.8
FortiWeb 6.3.7
FortiWeb 6.3.6
FortiWeb 6.3.5
FortiWeb 6.3.4
FortiWeb 6.3.3
FortiWeb 6.3.2
FortiWeb 6.3.1
FortiWeb 6.3.0
FortiWeb 6.2.4
FortiWeb - OS Command Injection because of missing input parameter sanitization
CVE-2021-36182
FortiWeb-6.3.13
FortiWeb-6.3.12
FortiWeb-6.3.11
FortiWeb-6.3.10
FortiWeb-6.3.9
FortiWeb-6.3.8
FortiWeb-6.3.7
FortiWeb-6.3.6
FortiWeb-6.3.5
FortiWeb-6.3.4
FortiWeb-6.3.3
FortiWeb-6.3.2
FortiWeb-6.3.1
FortiWeb-6.3.0
FortiWeb-6.2.4
8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-047
FortiWeb - OS Command Injection because of missing input parameter sanitization
Reference>