Headline
CVE-2023-34991: Fortiguard
A improper neutralization of special elements used in an sql command (‘sql injection’) in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.
** PSIRT Advisories**
FortiWLM - Unauthenticated SQL Injection Vulnerability
Summary
An improper neutralization of special elements used in an sql command [CWE-89] in FortiWLM may allow a remote unauthenticated attacker to execute unauthorized sql queries via a crafted http request.
Solutions
Please upgrade to FortiWLM version 8.6.6 or above
Please upgrade to FortiWLM version 8.5.5 or above
Acknowledgement
Fortinet is pleased to thank security researchers Zach Hanley (@hacks_zach) of Horizon3.ai for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-11-06: Initial publication