CVE-2021-24009

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGH

EPSS

0.3%

top 44.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiwan Fortinet Fortinet Fortiwan

Timeline

PublishedApr 6

Latest updateApr 7

Description

Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4.5.9 may allow an authenticated attacker to execute arbitrary commands on the underlying system's shell via specifically crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortiwan4.5.8

▶CVEListV5fortinet/fortinet_fortiwanFortiWAN before 4.5.9

Patches

Patch: fortiguard.com ↗Patch: fortiguard.com ↗

🔴Vulnerability Details

GHSA

GHSA-7xrh-w83g-7mfh: Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4↗2022-04-07

▶

CVEList

CVE-2021-24009: Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of FortiWAN before 4↗2022-04-06

▶

📋Vendor Advisories

Fortinet

Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in the Web GUI of Fo...↗2022-04-06

▶