CVE-2023-34985: 
FortiWLM vulnerability analysis and mitigation

A command injection vulnerability (CVE-2023-34985) was discovered in Fortinet FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. The vulnerability was disclosed on October 10, 2023, and involves improper neutralization of special elements used in OS commands (CWE-78). This security flaw affects the GUI component of FortiWLM (Fortinet Advisory).

The vulnerability is classified as a command injection flaw that allows improper neutralization of special elements used in OS commands. It received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects the GUI component of FortiWLM and can be exploited through specifically crafted HTTP GET request parameters (NVD, Fortinet Advisory).

If successfully exploited, this vulnerability allows a remote authenticated attacker with low privileges to execute unauthorized code or commands on the affected system. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiWLM version 8.6.6 or above for the 8.6.x branch, or to version 8.5.5 or above for the 8.5.x branch (Fortinet Advisory).