CVE-2023-42788 — OS Command Injection in Fortinet Fortianalyzer

CWE-78 — OS Command Injection4 documents4 sources

Severity

6.7MEDIUMNVD

CNA7.8

EPSS

0.3%

top 46.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedOct 10

Description

An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in FortiManager & FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.8, version 6.4.0 through 6.4.12 and version 6.2.0 through 6.2.11 may allow a local attacker with low privileges to execute unauthorized code via specifically crafted arguments to a CLI command

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5fortinet/fortimanager7.2.0 — 7.2.3+4

▶NVDfortinet/fortimanager6.2.0 — 6.2.11+4

▶CVEListV5fortinet/fortianalyzer7.2.0 — 7.2.3+4

▶NVDfortinet/fortianalyzer6.2.0 — 6.2.11+4

🔴Vulnerability Details

CVEList

CVE-2023-42788: An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in FortiManager & FortiAnalyzer v↗2023-10-10

▶

GHSA

GHSA-373p-j926-5m9h: An improper neutralization of special elements used in an os command ('OS Command Injection') vulnerability [CWE-78] in FortiManager & FortiAnalyzer v↗2023-10-10

▶

📋Vendor Advisories

Fortinet

OS command injection↗2023-10-10

▶