Command injection in webserver


An improper neutralization of special elements used in an OS command vulnerability ('OS Command Injection') [CWE-78] in FortiWeb may allow authenticated users to execute unauthorized code or commands via specifically crafted HTTP requests.

Version Affected Solution
FortiWeb 7.2 Not affected Not Applicable
FortiWeb 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiWeb 6.4 6.4 all versions Migrate to a fixed release
FortiWeb 6.3 6.3.6 through 6.3.20 Upgrade to 6.3.21 or above


Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team