=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN398

_____________________________________________________________________

DATE                : 12/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiWLM versions prior to 8.6.6,
                                          8.5.5.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-23-141
_____________________________________________________________________


FortiWLM - Authenticated command injection vulnerability

IR Number    : FG-IR-23-141
Date         : Oct 10, 2023
Component    : GUI
Severity     : High
CVSSv3 Score : 8.6
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2023-34989
Affected Products:
   FortiWLM: 8.6.5, 8.6.4, 8.6.3, 8.6.2, 8.6.1, 8.6.0, 8.5.4, 8.5.3,
8.5.2, 8.5.1, 8.5.0


Summary

Multiple Improper neutralization of special elements used in an os
command vulnerabilities [CWE-78] in FortiWLM may allow a remote
authenticated attacker with low privilege to execute unauthorized
commands via specifically crafted http get request parameters.


Affected Products

FortiWLM version 8.6.5 and below
FortiWLM version 8.5.4 and below


Solutions

Please upgrade to FortiWLM version 8.6.6 or above
Please upgrade to FortiWLM version 8.5.5 or above


Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet
Product Security team.


Timeline

2023-09-29: Initial publication


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================