FortiWeb - OS Command Injection because of missing input parameter sanitization

Summary

Multiple improper neutralization of special elements vulnerabilities [CWE-89] used in a command in FortiWeb may allow an authenticated attacker to execute unauthorized code or commands via crafted parameters of HTTP requests.

Affected Products

FortiWeb version 6.3.13 or below is impacted
FortiWeb version 6.2.4 or below is impacted

Solutions

Upgrade to FortiWeb 6.3.14 or above
Upgrade to FortiWeb 6.2.5 or above

Acknowledgement

Fortinet is pleased to thank H4lo from DBappSecurity Co.,Ltd Hatlab for reporting this vulnerability under responsible disclosure.