Multiple command injection vulnerabilities in webserver

Summary

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in the webserver of FortiExtender may allow a privileged attacker to execute arbitrary OS commands via specially crafted input parameters.

Affected Products

FortiExtender 7.6 all versions are not affected
FortiExtender 7.4 all versions are not affected
FortiExtender 7.2 all versions are not affected
FortiExtender version 7.0.0 through 7.0.3
FortiExtender 5.3 all versions
FortiExtender version 4.2.0 through 4.2.4
FortiExtender version 4.1.1 through 4.1.8
FortiExtender version 4.0.0 through 4.0.2
FortiExtender version 3.3.0 through 3.3.2
FortiExtender version 3.2.1 through 3.2.3
FortiExtender 3.1 all versions
FortiExtender 3.0 all versions

Solutions

Upgrade to FortiExtender version 7.2.0 and above
Upgrade to FortiExtender version 7.0.4 and above
Upgrade to FortiExtender version 4.2.5 and above
Upgrade to FortiExtender upcoming version 4.1.9 and above
Upgrade to FortiExtender upcoming version 4.0.3 and above
Upgrade to FortiExtender version 3.3.3 and above
Upgrade to FortiExtender version 3.2.4 and above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Timeline

2023-02-16: Initial publication