PSIRT Advisories

FortiWeb - format string vulnerability in the CLI

Summary

A format string vulnerability [CWE-134] in the command line interpreter of FortiWeb may allow an authenticated user to execute unauthorized code or commands via specially crafted command arguments.

Major Version Affected Products Solutions
7.0 FortiWeb version 7.0.0 through 7.0.1 Please upgrade to FortiWeb version 7.0.2 or above
6.4 FortiWeb 6.4 all versions Please upgrade to upper major version (check above line)
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.