=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN328

_____________________________________________________________________

DATE                : 14/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiTester versions prior to
                                             7.3.0.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-22-501
_____________________________________________________________________


FortiTester - Authenticated command injection in FortiGuard explicit
proxy setting


Summary

An improper neutralization of special elements used in an OS
command vulnerability [CWE-78] in the management interface of
FortiTester may allow an authenticated attacker to execute
unauthorized commands via specifically crafted arguments to
existing commands.


Affected Products

FortiTester 7.2 all versions
FortiTester 7.1 all versions
FortiTester 7.0 all versions
FortiTester 4.2 all versions
FortiTester 4.1 all versions
FortiTester 4.0 all versions
FortiTester 3.9 all versions
FortiTester 3.8 all versions
FortiTester 3.7 all versions
FortiTester 3.6 all versions
FortiTester 3.5 all versions
FortiTester 3.4 all versions
FortiTester 3.3 all versions
FortiTester 3.2 all versions
FortiTester 3.1 all versions
FortiTester 3.0 all versions


Solutions

Please upgrade to FortiTester version 7.3.0 or above


Acknowledgement

Internally discovered and reported by Wilfried Djettchou of
Fortinet Product Security team.


Timeline
2023-09-01: Initial publication



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================