PSIRT Advisories

FortiADC - Multiple SQL Injection vulnerabilities in the management interface

Summary

Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] in FortiADC management interface may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Affected Products

FortiADC version 7.0.0 through 7.0.1
FortiADC version 6.2.0 through 6.2.2
FortiADC version 6.1.0 through 6.1.6
FortiADC version 6.0.0 through 6.0.4
FortiADC version 5.4.0 through 5.4.5
FortiADC version 5.3.0 through 5.3.7
FortiADC version 5.2.0 through 5.2.8
FortiADC version 5.1.0 through 5.1.7
FortiADC version 5.0.0 through 5.0.4

Solutions

Please upgrade to FortiADC version 7.0.2 or above.
Please upgrade to FortiADC version 6.2.3 or above.

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.