=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN325

_____________________________________________________________________

DATE                : 14/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiADC versions prior to 7.1.2,
                                        7.0.4, 6.2.6.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-22-310
_____________________________________________________________________

FortiADC - Command injection in Automation/Webhook module

IR Number    : FG-IR-22-310
Date         : Sep 13, 2023
Component    : GUI
Severity     : High
CVSSv3 Score : 7.4
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2022-35849
Affected Products: FortiADC
                                 :
7.1.1, 7.1.0, 7.0.3, 7.0.2, 7.0.1, 7.0.0, 6.2.5, 6.2.4, 6.2.3, 6.2.2, 
6.2.1, 6.2.0, 6.1.6, 6.1.5, 6.1.4, 6.1.3, 6.1.2, 6.1.1, 6.1.0


Summary

An improper neutralization of special elements used in an OS
command vulnerability [CWE-78] in the management interface of
FortiADC may allow an authenticated attacker to execute unauthorized
commands via specifically crafted arguments to existing commands.


Affected Products

FortiADC version 7.1.0 through 7.1.1
FortiADC version 7.0.0 through 7.0.3
FortiADC version 6.2.0 through 6.2.5
FortiADC version 6.1.0 all versions


Solutions

Please upgrade to FortiADC version 7.1.2 or above
Please upgrade to FortiADC version 7.0.4 or above
Please upgrade to FortiADC version 6.2.6 or above


Timeline

2023-08-30: Initial publication


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================