Excel formula injection in P&O IPv4 Policy names Vulnerability
Summary
An improper neutralization of formula elements vulnerability (CWE 1236) in FortiManager may allow a local authenticated privileged attacker to execute arbitrary shell code on the end-user's host via inserting CSV formula in the policy names. This is achieved once the user downloads and opens the configuration csv/xls* file.
Affected Products
FortiManager v6.4.3 and below.
FortiManager v6.2.7 and below.
Solutions
Upgrade to FortiManager v6.4.4 or above.
Upgrade to FortiManager v6.2.8 or above.