Headline
CVE-2023-41836: Fortiguard
An improper neutralization of input during web page generation (‘cross-site scripting’) in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests.
** PSIRT Advisories**
FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint
Summary
An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
Version
Affected
Solution
FortiSandbox 4.4
4.4.0
Upgrade to 4.4.2 or above
FortiSandbox 4.2
4.2.0 through 4.2.4
Upgrade to 4.4.2 or above
FortiSandbox 4.0
4.0 all versions
Migrate to a fixed release
FortiSandbox 3.2
3.2 all versions
Migrate to a fixed release
FortiSandbox 3.1
3.1 all versions
Migrate to a fixed release
FortiSandbox 3.0
3.0.4 through 3.0.7
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.
Timeline
2023-10-13: Initial publication