FortiWLM - Unauthenticated SQL Injection Vulnerability

Summary

An improper neutralization of special elements used in an sql command [CWE-89] in FortiWLM may allow a remote unauthenticated attacker to execute unauthorized sql queries via a crafted http request.

Solutions

Please upgrade to FortiWLM version 8.6.6 or above
Please upgrade to FortiWLM version 8.5.5 or above

Acknowledgement

Fortinet is pleased to thank security researchers Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting this vulnerability under responsible disclosure.

Timeline

2023-11-06: Initial publication