FortiWeb - Multiple command injection vulnerabilities

Summary

Multiple command injection vulnerabilities [CWE-78] in the command line interpreter of FortiWeb may allow an authenticated attacker to execute arbitrary commands on the underlying system shell via specially crafted command arguments.

Affected Products

FortiWeb 6.4.1 and earlier.
FortiWeb 6.3.15 and earlier.
FortiWeb 6.2.5 and earlier.
FortiWeb 6.1.2 and earlier.

Solutions

Upgrade to FortiWeb 7.0.0 and later.
Upgrade to FortiWeb 6.4.2 and later.
Upgrade to FortiWeb 6.3.16 and later.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet Product Security team.