CVE-2023-34987: 
FortiWLM vulnerability analysis and mitigation

A command injection vulnerability (CVE-2023-34987) was discovered in Fortinet FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. The vulnerability allows an authenticated attacker with low privileges to execute unauthorized code or commands through specifically crafted HTTP GET request parameters. This vulnerability was internally discovered and reported by Adham El karn of the Fortinet Product Security team and was publicly disclosed on October 10, 2023 (Fortinet Advisory, NVD).

The vulnerability is classified as an improper neutralization of special elements used in an OS command (CWE-78). It has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists in the GUI component of FortiWLM and can be exploited through specifically crafted HTTP GET request parameters (Fortinet Advisory, NVD).

If successfully exploited, this vulnerability allows attackers to execute unauthorized code or commands on the affected system. Given the CVSS score and vector string, the vulnerability can potentially lead to complete compromise of confidentiality, integrity, and availability of the affected system (NVD).

Fortinet has released patches to address this vulnerability. Users are advised to upgrade to FortiWLM version 8.6.6 or above for the 8.6.x branch, or to version 8.5.5 or above for the 8.5.x branch (Fortinet Advisory).