Multiple versions of the FortiADC application delivery controller are susceptible to a critical flaw that could lead to the execution of arbitrary code, according to Fortinet.
“An improper neutralization of special elements used in an OS command vulnerability in FortiADC could allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specially crafted HTTP requests,” according to the company’s advisory.
The vulnerability, tracked as CVE-2022-39947 (CVSS score: 8.6) and discovered internally by its product security team, affects the versions listed below:
- FortiADC version 7.0.0 through 7.0.2
- FortiADC version 6.2.0 through 6.2.3
- FortiADC version 6.1.0 through 6.1.6
- FortiADC version 6.0.0 through 6.0.4
- FortiADC version 5.4.0 through 5.4.5
Users are encouraged to upgrade to versions 6.2.4 and 7.0.2 of FortiADC as soon as they become available.
Additionally, the January 2023 patches address several command injection vulnerabilities in FortiTester (CVE-2022-35845, CVSS score: 7.6) that could allow an authenticated attacker to execute arbitrary commands in the underlying shell.
Zoho Releases Fixes For An SQLi Flaw
Following the discovery of a severe SQL injection (SQLi) flaw, enterprise software provider Zoho urges customers to upgrade to the latest versions of Access Manager Plus, PAM360, and Password Manager Pro.
The vulnerability, identified as CVE-2022-47523, affects Access Manager Plus versions before 4308, PAM360 versions before 5800, and Password Manager Pro versions before 12200.
“This vulnerability could allow an adversary to execute custom queries and access database table entries using the vulnerable request,” the India-based company explained, adding that the flaw was fixed by adding proper validation and escaping special characters.
Although exact details regarding the flaw have not been disclosed, Zoho’s release notes reveal that the flaw was discovered in the company’s internal framework and could allow all users to “access the backend database.”