FortiWeb is vulnerable to a blind SQL injection
FortiWeb — CVE-2020-29015
A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.
However, Fortinet has released security updates regarding this vulnerability.
The vulnerability is considered as MEDIUM severity.
FortiWeb versions 6.3.7 and below.
FortiWeb versions 6.2.3 and below.
Please upgrade to FortiWeb versions 6.3.8 or above.
Please upgrade to FortiWeb versions 6.2.4 or above.
|Vulnerability Rating||CVSS v3.0||CVSS v2.0|
|Base Metrics||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N||CVSS v2.0/AV:N/AC:L/AU:N/C:P/I:P/A:N|
It is recommend the following actions be taken:
- Apply appropriate updates by Fortinet to vulnerable systems, immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources.