FortiWeb - Multiple command injection vulnerabilities


Multiple command injection vulnerabilities [CWE-78] in the command line interpreter of FortiWeb may allow an authenticated attacker to execute arbitrary commands on the underlying system shell via specially crafted command arguments.

Affected Products

FortiWeb 6.4.1 and earlier.
FortiWeb 6.3.15 and earlier.
FortiWeb 6.2.5 and earlier.
FortiWeb 6.1.2 and earlier.


Upgrade to FortiWeb 7.0.0 and later.
Upgrade to FortiWeb 6.4.2 and later.
Upgrade to FortiWeb 6.3.16 and later.


Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet Product Security team.