Headline
CVE-2023-48782: Fortiguard
A improper neutralization of special elements used in an os command (‘os command injection’) in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters
FortiWLM - authenticated command injection vulnerability
Summary
An Improper neutralization of special elements used in an os command vulnerabilities [CWE-78] in FortiWLM may allow a remote authenticated attacker with low privilege to execute unauthorized commands via specifically crafted http get request parameters.
Version
Affected
Solution
FortiWLM 8.6
8.6.0 through 8.6.5
Upgrade to 8.6.6 or above
FortiWLM 8.5
Not affected
Not Applicable
Acknowledgement
Fortinet is pleased to thank security researchers Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-12-07: Initial publication
Related news
Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.