CVE-2023-41838 — OS Command Injection in Fortinet Fortimanager

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 53.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedOct 10

Description

An improper neutralization of special elements used in an os command ('os command injection') in FortiManager 7.4.0 and 7.2.0 through 7.2.3 may allow attacker to execute unauthorized code or commands via FortiManager cli.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5fortinet/fortimanager7.2.0 — 7.2.3+4

▶NVDfortinet/fortimanager6.2.0 — 6.2.11+4

▶CVEListV5fortinet/fortianalyzer7.2.0 — 7.2.3+4

▶NVDfortinet/fortianalyzer6.2.0 — 6.2.11+4

🔴Vulnerability Details

CVEList

CVE-2023-41838: An improper neutralization of special elements used in an os command ('os command injection') in FortiManager 7↗2023-10-10

▶

GHSA

GHSA-jvhq-qf3p-3jrr: An improper neutralization of special elements used in an os command ('os command injection') in FortiManager 7↗2023-10-10

▶

📋Vendor Advisories

Fortinet

Arbitrary file deletion↗2023-10-10

▶