CVE-2020-29015

A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.

Published: Jan 14, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-29015
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
fortinet / fortiweb	-	6.2.4
fortinet / fortiweb	6.3.0	6.3.7.x

https://www.fortiguard.com/psirt/FG-IR-20-124

Vulnerability Database

289,784

CVE-2020-29015