CVE-2021-22123

Name of the Vulnerable Software and Affected Versions FortiWeb versions 6.3.7 and below FortiWeb versions 6.2.3 and below FortiWeb versions 6.1.x FortiWeb versions 6.0.x FortiWeb versions 5.9.x

Description The issue is an OS command injection vulnerability in FortiWeb's management interface. This vulnerability may allow a remote authenticated attacker to execute arbitrary commands on the system via the SAML server configuration page. The vulnerability exists due to the lack of measures to neutralize special elements used in the OS command.

Recommendations For FortiWeb versions 6.3.7 and below, consider disabling the SAML server configuration page until a patch is available. For FortiWeb versions 6.2.3 and below, restrict access to the management interface to minimize the risk of exploitation. For FortiWeb versions 6.1.x, 6.0.x, and 5.9.x, avoid using the SAML server configuration page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.