PSIRT Advisories

FortiWeb - OS command injection vulnerability

Summary

An OS command injection vulnerability in FortiWeb's management interface may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page.

Affected Products

FortiWeb versions 6.3.7 and below. FortiWeb versions 6.2.3 and below. FortiWeb versions 6.1.x, 6.0.x, 5.9.x.

Solutions

Please upgrade to FortiWeb versions 6.3.8 or above. Please upgrade to FortiWeb versions 6.2.4 or above.

Acknowledgement

Fortinet is pleased to thank Andrey Medov from ptsecurity for reporting this vulnerability under responsible disclosure.