SecuriTricks - CVE-2022-29059

Description

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters.

Product(s) Impacted

Vendor	Product	Versions
Fortinet	Fortiweb	7.0.1, 6.4.2, 6.3.20, 6.2.7

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	fortinet	fortiweb	7.0.1	/	/	/	/	/	/	/
a	fortinet	fortiweb	6.4.2	/	/	/	/	/	/	/
a	fortinet	fortiweb	6.3.20	/	/	/	/	/	/	/
a	fortinet	fortiweb	6.2.7	/	/	/	/	/	/	/

References

https://fortiguard.com/psirt/FG-IR-22-140

CVSS Score

2.7 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

View Vector String

Timeline

Published: March 14, 2025, 4:15 p.m.
Last Modified: March 14, 2025, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@fortinet.com

CVE-2022-29059