An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.
Affected ProductsFortiSIEM version 7.0.0
FortiSIEM version 6.7.0 through 6.7.5
FortiSIEM version 6.6.0 through 6.6.3
FortiSIEM version 6.5.0 through 6.5.1
FortiSIEM version 6.4.0 through 6.4.2
Please upgrade to FortiSIEM version 7.0.1 or above
Please upgrade to FortiSIEM version 6.7.6 or above
Please upgrade to FortiSIEM upcoming version 6.6.4 or above
Please upgrade to FortiSIEM upcoming version 6.5.2 or above
Please upgrade to FortiSIEM upcoming version 6.4.3 or above
AcknowledgementFortinet is pleased to thank security researchers Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting this vulnerability under responsible disclosure.
2023-10-02: Initial publication