FortiPortal - Schedule System Backup Page OS Command Injection


An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.

Version Affected Solution
FortiPortal 7.2 7.2.0 Upgrade to 7.2.1 or above
FortiPortal 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiPortal 6.0 Not affected Not Applicable
FortiPortal 5.3 Not affected Not Applicable


Internally discovered and reported by Gary Chung of Fortinet Burnaby FortiPortal team.


2023-12-11: Initial publication