Arbitrary file listing and deletion through the CLI
Summary
An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiAP-U may allow an authenticated attacker to list and delete arbitrary files and directory via specially crafted command arguments.
Version | Affected | Solution |
---|---|---|
FortiAP-U 7.0 | 7.0.0 | Upgrade to 7.0.1 or above |
FortiAP-U 6.2 | 6.2.0 through 6.2.5 | Upgrade to 6.2.6 or above |
FortiAP-U 6.0 | 6.0 all versions | Migrate to a fixed release |
FortiAP-U 5.4 | 5.4 all versions | Migrate to a fixed release |
Acknowledgement
Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.Timeline
2023-09-01: Initial publication