PSIRT Advisories

FortiWLM - SQL Injection in AP report handlers

Summary

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWLM may allow an authenticated attacker to alter the query logic and execute arbitrary SQL statements via crafted HTTP requests to the AP monitor handlers.

Affected Products

FortiWLM version 8.6.2 and below.
FortiWLM version 8.5.2 and below.
FortiWLM version 8.4.2 and below.
FortiWLM version 8.3.2 and below.

Solutions

Upgrade to FortiWLM version 8.6.3 or above.

 

Acknowledgement

Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.