virus logo PSIRT

Command injection in CLI backup functionality

Summary

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow a privileged attacker to execute arbitrary bash commands via crafted cli backup parameters.

Affected Products

FortiWeb version 7.0.0 through 7.0.1
FortiWeb version 6.3.6 through 6.3.18
FortiWeb 6.4 all versions

Solutions

Please upgrade to FortiWeb version 7.0.2 or above
Please upgrade to FortiWeb version 6.3.19 or above

Timeline

2023-02-16: Initial publication

IR Number FG-IR-22-131
Published Date Feb 16, 2023
Component GUI
Severity High
CVSSv3 Score 7.2
Impact Execute unauthorized code or commands
CVE ID CVE-2023-23777
CVRF Download