PSIRT Advisories

FortiMail - OS Command injection

Summary

An improper neutralization of special elementsused in an OS Command vulnerability (CWE-78) in FortiMail's administrative interface may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.

Affected Products

FortiMail 6.4.3
FortiMail 6.2.6
FortiMail 6.0.10
FortiMail 5.4.12

Solutions

Upgrade to FortiMail 7.0.0.

Upgrade to FortiMail 6.4.4.

Upgrade to FortiMail 6.2.7.

Upgrade to FortiMail 6.0.11.

5.4 Fix to be confirmed.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.