FortiWLM - Authenticated command injection vulnerability

Summary

Multiple Improper neutralization of special elements used in an os command vulnerabilities [CWE-78] in FortiWLM may allow a remote authenticated attacker with low privilege to execute unauthorized commands via specifically crafted http get request parameters.

Affected Products

FortiWLM version 8.6.5 and below
FortiWLM version 8.5.4 and below

Solutions

Please upgrade to FortiWLM version 8.6.6 or above
Please upgrade to FortiWLM version 8.5.5 or above

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2023-09-29: Initial publication