FortiManager - Excel formula injection in P&O IPv4 Policy names Vulnerability

2021-09-0700:00:00

FortiGuard Labs

www.fortiguard.com

0.0004 Low

EPSS

Percentile

12.7%

JSON

An improper neutralization of formula elements vulnerability (CWE 1236) in FortiManager may allow a local authenticated privileged attacker to execute arbitrary shell code on the end-user’s host via inserting CSV formula in the policy names. This is achieved once the user downloads and opens the configuration csv/xls* file.

CPENameOperatorVersion
fortimanagereq6.4.3
fortimanagereq6.4.2
fortimanagereq6.4.1
fortimanagereq6.4.0
fortimanagereq6.2.7
fortimanagereq6.2.6
fortimanagereq6.2.5
fortimanagereq6.2.4
fortimanagereq6.2.3
fortimanagereq6.2.2

Name	Operator	Version
fortimanager	eq	6.4.3
fortimanager	eq	6.4.2
fortimanager	eq	6.4.1
fortimanager	eq	6.4.0
fortimanager	eq	6.2.7
fortimanager	eq	6.2.6
fortimanager	eq	6.2.5
fortimanager	eq	6.2.4
fortimanager	eq	6.2.3
fortimanager	eq	6.2.2

Rows per page:

1-10 of 251

0.0004 Low

EPSS

Percentile

12.7%

JSON

Related for FG-IR-20-190