FortiWeb - OS command injection vulnerability

FortiWeb - OS command injection vulnerability

Summary

An OS command injection vulnerability in FortiWeb's management interface may allow a remote authenticated administrator to execute arbitrary commands on the system via the SAML server configuration page.

Affected Products

FortiWeb version 6.4.0

FortiWeb version 6.3.14 and below.

FortiWeb version 6.2.4 and below.

 

Solutions

Upgrade to FortiWeb 6.3.15 or above.

Upgrade to FortiWeb 6.4.1 or above.

Upgrade to FortiWeb 6.2.5 or above.

Workaround: Disable access to the management interface from untrusted networks, and use the Trusted Hosts feature to restrict access to trusted IP addresses for the admin users.