Headline
Fortinet and Zoho Urge Customers to Patch Enterprise Software Vulnerabilities
Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code. "An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP
Application Security / SQLi
Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code.
“An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests,” the company said in an advisory.
The vulnerability, tracked as CVE-2022-39947 (CVSS score: 8.6) and internally discovered by its product security team, impacts the following versions -
- FortiADC version 7.0.0 through 7.0.2
- FortiADC version 6.2.0 through 6.2.3
- FortiADC version 6.1.0 through 6.1.6
- FortiADC version 6.0.0 through 6.0.4
- FortiADC version 5.4.0 through 5.4.5
Users are recommended to upgrade to FortiADC versions 6.2.4 and 7.0.2 as and when they become available.
The January 2023 patches also address a number of command injection vulnerabilities in FortiTester (CVE-2022-35845, CVSS score: 7.6) that could permit an authenticated attacker to execute arbitrary commands in the underlying shell.
Zoho Ships Fixes For An SQLi Flaw
Enterprise software provider Zoho is also urging customers to upgrade to the latest versions of Access Manager Plus, PAM360, and Password Manager Pro following the discovery of a severe SQL injection (SQLi) vulnerability.
Assigned the identifier CVE-2022-47523, the issue affects Access Manager Plus versions 4308 and below; PAM360 versions 5800 and below; and Password Manager Pro versions 12200 and below.
“This vulnerability can allow an adversary to execute custom queries, and access the database table entries using the vulnerable request,” the India-based company said, adding it fixed the bug by adding proper validation and escaping special characters.
Although exact specifics about the shortcoming have not been disclosed, Zoho’s release notes reveal that the flaw was identified in its internal framework and that it could enable all users to “access the backend database.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiADC version 7.0.0 through 7.0.2, FortiADC version 6.2.0 through 6.2.3, FortiADC version version 6.1.0 through 6.1.6, FortiADC version 6.0.0 through 6.0.4, FortiADC version 5.4.0 through 5.4.5 may allow an attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiTester 7.1.0, 7.0 all versions, 4.0.0 through 4.2.0, 2.3.0 through 3.9.1 may allow an authenticated attacker to execute arbitrary commands in the underlying shell.