Severity
Medium
Analysis Summary
CVE-2021-36187
Fortinet FortiWeb is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By sending specially-crafted HTTP requests to proxy services, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2021-36186
Fortinet FortiWeb is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. By sending specially-crafted HTTP requests with large request parameter values, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2021-36185
Fortinet FortiWLM could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw. By sending specially-crafted HTTP requests to various controllers, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2021-36184
Fortinet FortiWLM is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to various controllers, which could allow the attacker to view, add, modify or delete information in the back-end database.
Impact
- Denial of Service
- Buffer Overflow
- Command Execution
- Data Manipulation
Affected Vendors
Fortinet
Affected Products
- Fortinet FortiWeb 6.2.5
- Fortinet FortiWeb 6.3.15
- Fortinet FortiWeb 6.4.0
- Fortinet FortiWLM 8.6.1
Remediation
Refer to FortiGuard Advisory for patch, upgrade, or suggested workaround information.