PSIRT Advisories

FortiSOAR - OS Command Injection in Agent Password Field

Summary

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR may allow an authenticated attacker to execute unauthorized code or commands via crafted HTTP GET requests.

Affected Products

FortiSOAR version 7.2.0
FortiSOAR version 7.0.0 through 7.0.2
FortiSOAR version 6.4.1 through 6.4.4

Solutions

Please upgrade to FortiSOAR version 7.2.1 or above
Please upgrade to FortiSOAR version 7.0.3 or above

Acknowledgement

Fortinet is pleased to thank security researchers Ryan Catterall and OJ Reeves of Beyond Binary for discovering and reporting this vulnerability under responsible disclosure.