Headline
CVE-2023-41844: Fortiguard
A improper neutralization of input during web page generation (‘cross-site scripting’) in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint.
FortiSandbox - Reflected Cross Site Scripting (XSS)
Summary
An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests in capture traffic endpoint.
Version
Affected
Solution
FortiSandbox 4.4
4.4.0 through 4.4.2
Upgrade to 4.4.3 or above
FortiSandbox 4.2
4.2 all versions
Migrate to a fixed release
FortiSandbox 4.0
4.0 all versions
Migrate to a fixed release
FortiSandbox 3.2
3.2 all versions
Migrate to a fixed release
FortiSandbox 3.1
3.1 all versions
Migrate to a fixed release
FortiSandbox 3.0
3.0.4 and above
Migrate to a fixed release
Acknowledgement
Fortinet is pleased to thank security researcher Sander Van der Borght (@Sander__VdB_) for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-12-06: Initial publication