FortiWeb - format string vulnerability in the CLI

Summary

A format string vulnerability [CWE-134] in the command line interpreter of FortiWeb may allow an authenticated user to execute unauthorized code or commands via specially crafted command arguments.

Version Affected Solution
FortiWeb 7.0 7.0.0 through 7.0.1 Upgrade to 7.0.2 or above
FortiWeb 6.4 6.4 all versions Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.