Fortinet has released patches for several vulnerabilities across its products
A high-severity command injection bug in FortiADC was tracked as CVE-2022-39947 with a CVSS score of 8.6. The flaw could lead an authenticated attacker with access to be able to execute arbitrary code execution.
The issue impacts FortiADC versions 5.4.x, 6.0.x, 6.1.x, 6.2.x, and 7.0.x, and will be addressed with the release of FortiADC 6.2.4 and 7.0.2, Fortinet notes in its advisory.
Fortinet also releases patches for multiple high-severity command injection flaws in FortiTester. Tracked as CVE-2022-35845 with a CVSS score of 7.6, an improper neutralization of special elements that could lead to arbitrary command execution in the underlying shell.
The issue impacts FortiTester versions 2.x.x, 3.x.x, 4.x.x, 7.x, and 7.1.0, and was addressed with the release of FortiTester versions 3.9.2, 4.2.1, 7.1.1, and 7.2.0.
Other vulnerabilities includes a medium severity bug as an incorrect user management issue in FortiManager leading to passwordless admin in FortiGate, an improper neutralization of input bug in FortiPortal leading to cross-site scripting (XSS), and an improper neutralization of CRLF sequences flaw in FortiWeb leading to arbitrary header injection.
Customers are advised to update their respective products to protect from threat actors from exploiting it.