Headline
CVE-2023-41843: Fortiguard
A improper neutralization of input during web page generation (‘cross-site scripting’) in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 allows attacker to execute unauthorized code or commands via crafted HTTP requests.
** PSIRT Advisories**
FortiSandbox - Reflected Cross Site Scripting (XSS) on the “file ondemand” rendering endpoint
Summary
An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
Version
Affected
Solution
FortiSandbox 4.4
4.4.0 through 4.4.1
Upgrade to 4.4.2 or above
FortiSandbox 4.2
4.2.0 through 4.2.5
Upgrade to 4.4.2 or above
FortiSandbox 4.0
4.0.0 through 4.0.3
Upgrade to 4.0.4 or above
FortiSandbox 3.2
3.2 all versions
Migrate to a fixed release
FortiSandbox 3.1
3.1 all versions
Migrate to a fixed release
FortiSandbox 3.0
3.0 all versions
Migrate to a fixed release
FortiSandbox 2.5
2.5 all versions
Migrate to a fixed release
FortiSandbox 2.4
2.4.1
Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Fortinet is pleased to thank security researcher Sander Van der Borght (@Sander__VdB_) for discovering and reporting this vulnerability under responsible disclosure.
Timeline
2023-10-13: Initial publication