| IR Number | FG-IR-21-116 |
| Date | Aug 18, 2021 |
| Severity |
High |
| CVSSv3 Score | 7.6 |
| Impact | Execute unauthorized code or commands |
| CVE ID | CVE-2021-22123 |
| Affected Products |
FortiWeb
:
6.4.1, 6.4.0, 6.3.9, 6.3.8, 6.3.7, 6.3.6, 6.3.5, 6.3.4, 6.3.3, 6.3.2, 6.3.15, 6.3.14, 6.3.13, 6.3.12, 6.3.11, 6.3.10, 6.3.1, 6.3.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0
|
| CVRF | Download |
| Language |
Refine Search
PSIRT Advisories
FortiWeb - OS command injection vulnerability
Summary
An OS command injection vulnerability in FortiWeb's management interface may allow a remote authenticated administrator to execute arbitrary commands on the system via the SAML server configuration page.
Affected Products
FortiWeb version 6.4.0
FortiWeb version 6.3.14 and below.
FortiWeb version 6.2.4 and below.
Solutions
Upgrade to FortiWeb 6.3.15 or above.
Upgrade to FortiWeb 6.4.1 or above.
Upgrade to FortiWeb 6.2.5 or above.
Workaround: Disable access to the management interface from untrusted networks, and use the Trusted Hosts feature to restrict access to trusted IP addresses for the admin users.