CSV injection in log download feature
Summary
An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiClientEMS may allow a remote and unauthenticated attacker to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server.
Version | Affected | Solution |
---|---|---|
FortiClientEMS 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
FortiClientEMS 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
FortiClientEMS 6.4 | 6.4 all versions | Migrate to a fixed release |
FortiClientEMS 6.2 | 6.2 all versions | Migrate to a fixed release |
FortiClientEMS 6.0 | 6.0 all versions | Migrate to a fixed release |
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security Team.Timeline
2024-02-22: Initial publication