CVE-2021-26104
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
06/04/2022
Last modified:
28/07/2022
Description
Multiple OS command injection (CWE-78) vulnerabilities in the command line interface of FortiManager 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, FortiAnalyzer 6.2.7 and below, 6.4.5 and below and all versions of 6.2.x, 6.0.x and 5.6.x, and FortiPortal 5.2.5 and below, 5.3.5 and below and 6.0.4 and below may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Base Score 2.0
7.20
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* | 5.6.0 (including) | 6.0.11 (excluding) |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.2.8 (excluding) |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* | 6.4.0 (including) | 6.4.6 (excluding) |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* | 5.6.0 (including) | 6.0.11 (excluding) |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.2.8 (excluding) |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* | 6.4.0 (including) | 6.4.6 (excluding) |
| cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:* | 5.2.6 (excluding) | |
| cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:* | 5.3.0 (including) | 5.3.6 (excluding) |
| cpe:2.3:a:fortinet:fortiportal:*:*:*:*:*:*:*:* | 6.0.0 (including) | 6.0.5 (excluding) |
To consult the complete list of CPE names with products and versions, see this page