PSIRT Advisories

FortiWeb - format string vulnerability in the CLI

Summary

A format string vulnerability [CWE-134] in the command line interpreter of FortiWeb may allow an authenticated user to execute unauthorized code or commands via specially crafted command arguments.

Affected Products

FortiWeb version 7.0.0 through 7.0.1
FortiWeb 6.4 all versions

Solutions

Please upgrade to FortiWeb version 7.0.2 or above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.