Headline
CVE-2023-48791: Fortiguard
An improper neutralization of special elements used in a command (‘Command Injection’) vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.
FortiPortal - Schedule System Backup Page OS Command Injection
Summary
An improper neutralization of special elements used in a command (‘Command Injection’) vulnerability [CWE-77] in FortiPortal may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.
Version
Affected
Solution
FortiPortal 7.2
7.2.0
Upgrade to 7.2.1 or above
FortiPortal 7.0
7.0.0 through 7.0.6
Upgrade to 7.0.7 or above
FortiPortal 6.0
Not affected
Not Applicable
FortiPortal 5.3
Not affected
Not Applicable
Acknowledgement
Internally discovered and reported by Gary Chung of Fortinet Burnaby FortiPortal team.
Timeline
2023-12-11: Initial publication