CVE-2022-27489

CWE-78OS Command Injection4 documents4 sources
Severity
7.2HIGH
EPSS
1.5%
top 19.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet Fortiextender FirmwareFortinet Fortiextender
Timeline
PublishedFeb 16

Description

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDfortinet/fortiextender_firmware3.2.13.2.4+10
CVEListV5fortinet/fortiextender7.0.07.0.3+8

🔴Vulnerability Details

2
GHSA
GHSA-g389-p63j-mfgq: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 72023-02-16
CVEList
CVE-2022-27489: A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 72023-02-16

📋Vendor Advisories

1
Fortinet
Multiple command injection vulnerabilities in webserver2023-02-16
CVE-2022-27489 (HIGH CVSS 7.2) | A improper neutralization of specia | cvebase.io