FortiWeb - SQL Injection in delete filter component


An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb delete log filter component may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters.

Affected Products

At least
FortiWeb version 6.2.3 through 6.2.7
FortiWeb version 6.3.0 through 6.3.18
FortiWeb version 6.4.0 through 6.4.2
FortiWeb version 7.0.0 through 7.0.1


Upgrade to FortiWeb version 7.0.2 or above.


Internally discovered and reported by Giulia Clerici of the Fortinet Product Security team.