CVE-2021-36184: 
FortiWLM vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2021-36184) was discovered in Fortinet FortiWLM version 8.6.1 and below. The vulnerability stems from improper neutralization of special elements used in SQL commands, which could allow an authenticated attacker to access sensitive information through crafted HTTP requests to various controllers. The vulnerability was internally discovered and reported by Mattia Fecit of the Fortinet Product Security Team and was published on November 2, 2021 (Fortiguard PSIRT).

The vulnerability is classified as an SQL Injection (CWE-89) resulting from improper neutralization of special elements in SQL commands. It received a CVSSv3 score of 8.3, categorizing it as a High severity issue. The vulnerability specifically affects the script handlers in FortiWLM, allowing potential manipulation of SQL queries through specially crafted HTTP requests (Fortiguard PSIRT).

The primary impact of this vulnerability is information disclosure. When successfully exploited, an authenticated attacker could potentially access sensitive information stored in the FortiWLM database through manipulated SQL queries (Fortiguard PSIRT).

Fortinet has addressed this vulnerability by releasing FortiWLM version 8.6.2. Users are advised to upgrade to this version or later to mitigate the risk (Fortiguard PSIRT).