FortiWeb - OS Command Injection because of missing input parameter sanitization


Multiple improper neutralization of special elements vulnerabilities [CWE-89] used in a command in FortiWeb may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests.

Affected Products

FortiWeb version 6.3.13 or below is impacted
FortiWeb version 6.2.4 or below is impacted


Upgrade to FortiWeb 6.3.14 or above
Upgrade to FortiWeb 6.2.5 or above


Fortinet is pleased to thank H4lo from DBappSecurity Co.,Ltd Hatlab for reporting this vulnerability under responsible disclosure.