OS command injection due to direct input interpolation in API controllers Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-180 Final 1 1 2022-02-01T00:00:00 Current version 2022-02-01T00:00:00 2022-02-01T00:00:00 An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute arbitrary code or commands via crafted HTTP requests to ApplicationDelivery, JsonProtection and WebProtection controllers. Execute unauthorized code or commands FortiWeb version 5.9.0 through 5.9.1FortiWeb version 6.0.0 through 6.0.7FortiWeb version 6.1.0 through 6.1.2FortiWeb version 6.2.0 through 6.2.6FortiWeb version 6.3.0 through 6.3.16FortiWeb version 6.4.0 through 6.4.1 Upgrade to FortiWeb version 7.0.0 or aboveUpgrade to FortiWeb version 6.4.2 or aboveUpgrade to FortiWeb version 6.3.17 or aboveUpgrade to FortiWeb version 6.2.7 or aboveUpgrade to FortiWeb version 6.1.3 or aboveUpgrade to FortiWeb version 6.0.8 or aboveUpgrade to FortiWeb version 5.9.2 or above Internally discovered and reported by Mattia Fecit of Fortinet Product Security team. CVE-2021-43073 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-180 OS command injection due to direct input interpolation in API controllers Reference>