Command injection in log & report module

Summary

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC, FortiDDoS and FortiDDoS-F may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

Affected Products

FortiDDoS-F version 6.4.0
FortiDDoS-F version 6.3.0 through 6.3.3
FortiDDoS-F version 6.2.0 through 6.2.2
FortiDDoS-F version 6.1.0 through 6.1.4


FortiDDoS version 5.6.0 through 5.6.1
FortiDDoS version 5.5.0 through 5.5.1
FortiDDoS version 5.4.0 through 5.4.2
FortiDDoS version 5.3 all versions
FortiDDoS version 5.2 all versions
FortiDDoS version 5.1 all versions
FortiDDoS version 5.0 all versions
FortiDDoS version 4.x all versions
FortiADC version 7.1.0
FortiADC version 7.0.0 through 7.0.3
FortiADC version 6.2.0 through 6.2.4
FortiADC version 6.1 all versions
FortiADC version 6.0 all versions
FortiADC version 5.x all versions

Solutions

Please upgrade to FortiDDoS-F version 6.4.1 or above
Please upgrade to FortiDDoS-F version 6.3.4 or above
Please upgrade to FortiDDoS-F version 6.2.3 or above
Please upgrade to FortiDDoS-F version 6.1.5 or above
Please upgrade to FortiDDoS version 5.7.0 or above
Please upgrade to FortiDDoS version 5.6.2 or above
Please upgrade to FortiDDoS version 5.5.2 or above
Please upgrade to FortiDDoS version 5.4.3 or above
Please upgrade to FortiADC version 7.1.1 or above
Please upgrade to FortiADC version 7.0.4 or above
Please upgrade to FortiADC version 6.2.5 or above

Timeline

2023-04-11: Initial publication