Command injection in log & report module
Summary
An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC, FortiDDoS and FortiDDoS-F may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.
Affected Products
FortiDDoS-F version 6.4.0
FortiDDoS-F version 6.3.0 through 6.3.3
FortiDDoS-F version 6.2.0 through 6.2.2
FortiDDoS-F version 6.1.0 through 6.1.4
FortiDDoS version 5.6.0 through 5.6.1
FortiDDoS version 5.5.0 through 5.5.1
FortiDDoS version 5.4.0 through 5.4.2
FortiDDoS version 5.3 all versions
FortiDDoS version 5.2 all versions
FortiDDoS version 5.1 all versions
FortiDDoS version 5.0 all versions
FortiDDoS version 4.x all versions
FortiADC version 7.1.0
FortiADC version 7.0.0 through 7.0.3
FortiADC version 6.2.0 through 6.2.4
FortiADC version 6.1 all versions
FortiADC version 6.0 all versions
FortiADC version 5.x all versions
Solutions
Please upgrade to FortiDDoS-F version 6.4.1 or above
Please upgrade to FortiDDoS-F version 6.3.4 or above
Please upgrade to FortiDDoS-F version 6.2.3 or above
Please upgrade to FortiDDoS-F version 6.1.5 or above
Please upgrade to FortiDDoS version 5.7.0 or above
Please upgrade to FortiDDoS version 5.6.2 or above
Please upgrade to FortiDDoS version 5.5.2 or above
Please upgrade to FortiDDoS version 5.4.3 or above
Please upgrade to FortiADC version 7.1.1 or above
Please upgrade to FortiADC version 7.0.4 or above
Please upgrade to FortiADC version 6.2.5 or above
Timeline
2023-04-11: Initial publication