FortiTester - Multiple command injection vulnerabilities in GUI and API

Summary

Multiple improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerabilities [CWE-78] in FortiTester may allow an authenticated attacker to execute arbitrary commands in the underlying shell.

Affected Products

FortiTester version 7.1.0
FortiTester version 7.0 all versions
FortiTester version 4.0.0 through 4.2.0
FortiTester version 2.3.0 through 3.9.1

Solutions

Please upgrade to FortiTester version 7.2.0 or above
Please upgrade to FortiTester version 7.1.1 or above
Please upgrade to FortiTester version 4.2.1 or above
Please upgrade to FortiTester version 3.9.2 or above

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.