PSIRT Advisories

FortiWeb - SQL Injection in delete filter component

Summary

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters.

Affected Products

At least
FortiWeb version 6.2.3 through 6.2.7
FortiWeb version 6.3.0 through 6.3.18
FortiWeb version 6.4.0 through 6.4.2
FortiWeb version 7.0.0 through 7.0.1

Solutions

Upgrade to FortiWeb version 7.0.2 or above.

Acknowledgement

Internally discovered and reported by Giulia Clerici of the Fortinet Product Security team.