PSIRT Advisories
FortiWeb - OS command injection due to unsafe input validation function
Summary
An improper neutralization of special elements used in an OS command vulnerability ('OS Command Injection') [CWE-78] in FortiWeb may allow authenticated users to execute unauthorized code or commands via crafted HTTP GET requests to WAD configuration handlers.
Affected Products
FortiWeb version 6.4.1 and below
FortiWeb version 6.3.15 and below
FortiWeb version 6.2.6 and below
Solutions
Upgrade to the upcoming FortiWeb version 7.0.0 or above
Upgrade to FortiWeb version 6.4.2Â or above
Upgrade to FortiWeb version 6.3.16Â or above
Upgrade to FortiWeb version 6.2.7 or above