=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN329

_____________________________________________________________________

DATE                : 14/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiAP-U versions prior to 7.0.1,
                                           6.2.6.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-23-123
_____________________________________________________________________


FortiAP-U - Arbitrary file listing and deletion through the CLI


Summary

An incomplete filtering of one or more instances of special elements
vulnerability [CWE-792] in the command line interpreter of
FortiAP-U may allow an authenticated attacker to list and delete
arbitrary files and directory via specially crafted command
arguments.


Affected Products

FortiAP-U version 7.0.0
FortiAP-U version 6.2.0 through 6.2.5
FortiAP-U 6.0 all versions
FortiAP-U 5.4 all versions


Solutions

Please upgrade to FortiAP-U version 7.0.1 or above
Please upgrade to FortiAP-U version 6.2.6 or above


Acknowledgement

Internally discovered and reported by Wilfried Djettchou of
Fortinet Product Security team.


Timeline
2023-09-01: Initial publication


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================