FortiWLM - SQL Injection in script handlers
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-107
Final
1
1
2021-11-02T00:00:00
Current version
2021-11-02T00:00:00
2021-11-02T00:00:00
An improper neutralization of special elements [CWE-79] used in an SQL command vulnerability ('SQL Injection') [CWE-89] in FortiWLM may allow an authenticated attacker to disclose sensitive information via crafted HTTP requests to various controllers.
Information disclosure
FortiWLM version 8.6.1 and below are impacted
Upgrade to FortiWLM version 8.6.2 or earlier
Internally discovered and reported by Mattia Fecit of the Fortinet Product Security Team.
FortiWLM 8.6.1
FortiWLM 8.6.0
FortiWLM 8.5.3
FortiWLM 8.5.2
FortiWLM 8.5.1
FortiWLM 8.5.0
FortiWLM 8.4.2
FortiWLM 8.4.1
FortiWLM 8.4.0
FortiWLM 8.3.2
FortiWLM 8.3.1
FortiWLM 8.3.0
FortiWLM 8.2.2
FortiWLM - SQL Injection in script handlers
CVE-2021-36184
FortiWLM-8.6.1
FortiWLM-8.6.0
FortiWLM-8.5.3
FortiWLM-8.5.2
FortiWLM-8.5.1
FortiWLM-8.5.0
FortiWLM-8.4.2
FortiWLM-8.4.1
FortiWLM-8.4.0
FortiWLM-8.3.2
FortiWLM-8.3.1
FortiWLM-8.3.0
FortiWLM-8.2.2
8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-107
FortiWLM - SQL Injection in script handlers
Reference>