PSIRT

Arbitrary file listing and deletion through the CLI

Summary

An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiAP-U may allow an authenticated attacker to list and delete arbitrary files and directory via specially crafted command arguments.

Version	Affected	Solution
FortiAP-U 7.0	7.0.0	Upgrade to 7.0.1 or above
FortiAP-U 6.2	6.2.0 through 6.2.5	Upgrade to 6.2.6 or above
FortiAP-U 6.0	6.0 all versions	Migrate to a fixed release
FortiAP-U 5.4	5.4 all versions	Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.

Timeline

2023-09-13: Initial publication

IR Number	FG-IR-23-123
Published Date	Sep 13, 2023
Component	CLI
Severity	Medium
CVSSv3 Score	6.5
Impact	Improper access control
CVE ID
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Arbitrary file listing and deletion through the CLI

Summary

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Arbitrary file listing and deletion through the CLI

Summary

Acknowledgement

Timeline

Threat Intelligence
Center