CVE-2024-56497: OS Command Injection
First published: Tue Jan 14 2025(Updated: )
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.6 and 6.4.0 through 6.4.7, FortiRecorder versions 7.0.0 and 6.4.0 through 6.4.4 allows attacker to execute unauthorized code or commands via the CLI.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiMail | >=7.2.0<=7.2.4>=7.0.0<=7.0.6>=6.4.0<=6.4.7 | |
| Fortinet FortiRecorder | >=6.4.0<6.4.4 | |
| Fortinet FortiMail | >=6.4.0<6.4.8 | |
| Fortinet FortiMail | >=7.0.0<7.0.7 | |
| Fortinet FortiMail | >=7.2.0<7.2.5 | |
| Fortinet FortiRecorder | >=6.4.0<6.4.5 | |
| Fortinet FortiRecorder | >=7.0.0<7.0.2 |
Remedy
Please upgrade to FortiMail version 7.4.0 or above Please upgrade to FortiMail version 7.2.5 or above Please upgrade to FortiMail version 7.0.7 or above Please upgrade to FortiMail version 6.4.8 or above Please upgrade to FortiRecorder version 7.2.0 or above Please upgrade to FortiRecorder version 7.0.2 or above Please upgrade to FortiRecorder version 6.4.5 or above
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/references
- agent/weakness
- agent/remedy
- agent/first-publish-date
- agent/type
- agent/description
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/fortinet
- canonical/fortinet fortimail
- canonical/fortinet fortirecorder
- version/fortinet fortimail/6.4.0
- version/fortinet fortimail/7.0.0
- version/fortinet fortimail/7.2.0
- version/fortinet fortirecorder/6.4.0
- version/fortinet fortirecorder/7.0.0