OS Command injection in FortiMail's admin.fe

Summary

An improper neutralization of special elementsused in an OS Command vulnerability (CWE-78) in FortiMail's administrative interface may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.

Affected Products

FortiMail 6.4.3
FortiMail 6.2.6
FortiMail 6.0.10
FortiMail 5.4.12

Solutions

Please upgrade to FortiMail version 7.0.0 or above
Please upgrade to FortiMail version 6.4.4 or above
Please upgrade to FortiMail version 6.2.7 or above
Please upgrade to FortiMail version 6.0.11 or above

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.

Timeline

2021-07-07: Initial publication