Description
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR 7.6.0 through 7.6.1, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an attacker who has already obtained a non-login low privileged shell access (via another hypothetical vulnerability) to perform a local privilege escalation via crafted commands.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
E
Physical
RL
X
RC
Changed
Affected products
- fortinet / fortisoaron-premise7.6.0 – 7.6.0
- fortinet / fortisoaron-premise7.5.1 – 7.5.1
- fortinet / fortisoaron-premise7.5.0 – 7.5.0
- fortinet / fortisoaron-premise7.4.5 – 7.4.5
- fortinet / fortisoaron-premise7.4.4 – 7.4.4
- fortinet / fortisoaron-premise7.4.3 – 7.4.3
- fortinet / fortisoaron-premise7.4.2 – 7.4.2
- fortinet / fortisoaron-premise7.4.1 – 7.4.1
- fortinet / fortisoaron-premise7.4.0 – 7.4.0
- fortinet / fortisoaron-premise7.3.3 – 7.3.3
- fortinet / fortisoaron-premise7.3.2 – 7.3.2
- fortinet / fortisoaron-premise7.3.1 – 7.3.1
- fortinet / fortisoaron-premise7.3.0 – 7.3.0
References
- VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-24-412