FortiManager & FortiAnalyzer - Arbitrary file deletion

Summary

An improper neutralization of special elements used in an OS Command [CWE-22] in FortiManager and FortiAnalyzer may allow a low privileged authenticated attacker to delete arbitrary files via the CLI.

Version Affected Solution
FortiAnalyzer 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiAnalyzer 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiAnalyzer 7.0 7.0.0 through 7.0.8 Upgrade to 7.0.9 or above
FortiAnalyzer 6.4 6.4.0 through 6.4.12 Upgrade to 6.4.13 or above
FortiAnalyzer 6.2 6.2.0 through 6.2.11 Upgrade to 6.2.12 or above
FortiManager 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiManager 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiManager 7.0 7.0.0 through 7.0.8 Upgrade to 7.0.9 or above
FortiManager 6.4 6.4.0 through 6.4.12 Upgrade to 6.4.13 or above
FortiManager 6.2 6.2.0 through 6.2.11 Upgrade to 6.2.12 or above

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2023-10-02: Initial publication