Headline
CVE-2022-26116: Fortiguard
Multiple improper neutralization of special elements used in SQL commands (‘SQL Injection’) vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.
** PSIRT Advisories**
FortiNAC - SQL Injection
Summary
Multiple improper neutralization of special elements used in SQL commands (‘SQL Injection’) vulnerability [CWE-89] in FortiNAC may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.
Affected Products
FortiNAC version 8.3.7
FortiNAC version 8.5.0 through 8.5.2
FortiNAC version 8.5.4
FortiNAC version 8.6.0
FortiNAC version 8.6.2 through 8.6.5
FortiNAC version 8.7.0 through 8.7.6
FortiNAC version 8.8.0 through 8.8.11
FortiNAC version 9.1.0 through 9.1.5
FortiNAC version 9.2.0 through 9.2.2
Solutions
Upgrade to FortiNAC version 10.0.0 or above,
Upgrade to FortiNAC version 9.4.0 or above,
Upgrade to FortiNAC version 9.2.3 or above,
Upgrade to FortiNAC version 9.1.6 or above,
Acknowledgement
Internally discovered and reported by Giulia Clerici of the Fortinet Product Security team.
Related news
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.