FortiClientEMS - Directory Traversal vulnerability
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-20-074
Final
1
1
2021-10-05T00:00:00
Current version
2021-10-05T00:00:00
2021-10-05T00:00:00
A path traversal vulnerability [CWE-22] in FortiClientEMS may allow an authenticated attacker to inject directory traversal character sequences to add/delete the files of the server via the name parameter of Deployment Packages.
None
Escalation of privilege
FortiClientEMS version 6.4.1 and below. FortiClientEMS version 6.2.8 and below.
Please upgrade to version 6.2.9 or above. Please upgrade to version 6.4.2 or above.
Fortinet is pleased to thank Researcher Johnatan Camargo and Researcher Danilo Costa for reporting this vulnerability under responsible disclosure.
FortiClientEMS 6.4.1
FortiClientEMS 6.4.0
FortiClientEMS 6.2.8
FortiClientEMS 6.2.7
FortiClientEMS 6.2.6
FortiClientEMS 6.2.4
FortiClientEMS 6.2.3
FortiClientEMS 6.2.2
FortiClientEMS 6.2.1
FortiClientEMS 6.2.0
FortiClientEMS - Directory Traversal vulnerability
CVE-2020-15941
FortiClientEMS-6.4.1
FortiClientEMS-6.4.0
FortiClientEMS-6.2.8
FortiClientEMS-6.2.7
FortiClientEMS-6.2.6
FortiClientEMS-6.2.4
FortiClientEMS-6.2.3
FortiClientEMS-6.2.2
FortiClientEMS-6.2.1
FortiClientEMS-6.2.0
5.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-20-074
FortiClientEMS - Directory Traversal vulnerability
Reference>