Fortinet has warned of a critical flaw that affects multiple versions of the FortiADC Application Delivery Controller and can lead to the execution of arbitrary code.
“Improperly disabling the special factor used in FortiADC’s OS command vulnerability could allow an authenticated attacker with access to the web GUI to execute malicious code via a specially crafted HTTP request. or commands,” the company said in an advisory.
A vulnerability tracked as CVE-2022-39947 (CVSS score: 8.6) and discovered internally by the product security team affects the following versions:
- FortiADC versions 7.0.0 to 7.0.2
- FortiADC versions 6.2.0 to 6.2.3
- FortiADC versions 6.1.0 through 6.1.6
- FortiADC versions 6.0.0 to 6.0.4
- FortiADC versions 5.4.0 to 5.4.5
We recommend upgrading to FortiADC versions 6.2.4 and 7.0.2 when they become available.
The January 2023 patch also addresses the FortiTester command injection vulnerability (CVE-2022-35845, CVSS score: 7.6). This could allow an authenticated attacker to execute arbitrary commands in the underlying shell.
Zoho Fixes SQLi Bugs
Enterprise software provider Zoho is urging customers to upgrade to the latest versions of Access Manager Plus, PAM360 and Password Manager Pro following the discovery of a severe SQL injection (SQLi) vulnerability.
Assigned identifier CVE-2022-47523, this issue affects Access Manager Plus versions 4308 and below. PAM360 version 5800 and below. and Password Manager Pro version 12200 and below.
“This vulnerability could allow an attacker to execute custom queries and access database table entries using vulnerable requests,” the India-based company said, noting that proper validation is required. Added that I fixed the bug by adding and escaping special characters.
The exact details of the shortcomings have not been disclosed, but Zoho’s release notes reveal that they have identified a flaw in their internal framework that could allow all users to “access the backend database”. I was.
