CVE-2021-32590

Name of the Vulnerable Software and Affected Versions FortiPortal versions 4.2.2 and earlier FortiPortal versions 5.2.0 through 5.2.5 FortiPortal versions 5.3.0 through 5.3.5 FortiPortal versions 6.0.0 through 6.0.4

Description The issue is related to multiple improper neutralization of special elements used in an SQL command, which may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests. This can be achieved by exploiting a lack of validation of XML object sequences. The vulnerability can be exploited remotely.

Recommendations For FortiPortal versions 4.2.2 and earlier, update to a version later than 4.2.2. For FortiPortal versions 5.2.0 through 5.2.5, update to a version later than 5.2.5. For FortiPortal versions 5.3.0 through 5.3.5, update to a version later than 5.3.5. For FortiPortal versions 6.0.0 through 6.0.4, update to a version later than 6.0.4. As a temporary workaround, consider restricting access to the SQL database to minimize the risk of exploitation. Avoid using specifically crafted HTTP requests that may trigger the vulnerability.