Fortinet has warned of a high-severity flaw affecting a number of variations of FortiADC software supply controller that might result in the execution of arbitrary code.
“An improper neutralization of particular components utilized in an OS command vulnerability in FortiADC might permit an authenticated attacker with entry to the net GUI to execute unauthorized code or instructions through particularly crafted HTTP requests,” the corporate mentioned in an advisory.
The vulnerability, tracked as CVE-2022-39947 (CVSS rating: 8.6) and internally found by its product safety workforce, impacts the next variations –
- FortiADC model 7.0.0 via 7.0.2
- FortiADC model 6.2.0 via 6.2.3
- FortiADC model 6.1.0 via 6.1.6
- FortiADC model 6.0.0 via 6.0.4
- FortiADC model 5.4.0 via 5.4.5
Customers are beneficial to improve to FortiADC variations 6.2.4 and seven.0.2 as and once they turn into accessible.
The January 2023 patches additionally tackle plenty of command injection vulnerabilities in FortiTester (CVE-2022-35845, CVSS rating: 7.6) that might allow an authenticated attacker to execute arbitrary instructions within the underlying shell.
Zoho Ships Fixes For An SQLi Flaw
Enterprise software program supplier Zoho can also be urging clients to improve to the most recent variations of Entry Supervisor Plus, PAM360, and Password Supervisor Professional following the invention of a extreme SQL injection (SQLi) vulnerability.
Assigned the identifier CVE-2022-47523, the problem impacts Entry Supervisor Plus variations 4308 and under; PAM360 variations 5800 and under; and Password Supervisor Professional variations 12200 and under.
“This vulnerability can permit an adversary to execute customized queries, and entry the database desk entries utilizing the susceptible request,” the India-based firm mentioned, including it fastened the bug by including correct validation and escaping particular characters.
Though actual specifics in regards to the shortcoming haven’t been disclosed, Zoho’s launch notes reveal that the flaw was recognized in its inside framework and that it might allow all customers to “entry the backend database.”