FortiManager - Excel formula injection in P&O IPv4 Policy names Vulnerability
An improper neutralization of formula elements vulnerability (CWE 1236) in FortiManager may allow a local authenticated privileged attacker to execute arbitrary shell code on the end-user's host via inserting CSV formula in the policy names. This is achieved once the user downloads and opens the configuration csv/xls* file.
FortiManager v6.4.3 and below.
FortiManager v6.2.7 and below.
Any FortiManager v6.0.x is impacted
Upgrade to FortiManager v6.4.4 or above.
Upgrade to FortiManager v6.2.8 or above.