CVE-2021-24016

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

Published: Sep 30, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-24016
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.3
AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-1236

Affected Software
References

Software	From	Fixed in
fortinet / fortimanager	-	6.2.8
fortinet / fortimanager	6.4.0	6.4.4

https://fortiguard.com/advisory/FG-IR-20-190

Vulnerability Database

289,784

CVE-2021-24016