FortiWeb - command injection in webserver

Summary

An improper neutralization of special elements used in an OS command vulnerability ('OS Command Injection') [CWE-78] in FortiWeb may allow authenticated users to execute unauthorized code or commands via specifically crafted HTTP requests.

Version Affected Solution
FortiWeb 7.2 Not affected Not Applicable
FortiWeb 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiWeb 6.4 6.4 all versions Migrate to a fixed release
FortiWeb 6.3 6.3.6 through 6.3.20 Upgrade to 6.3.21 or above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team