Headline
CVE-2023-41682: Fortiguard
A improper limitation of a pathname to a restricted directory (‘path traversal’) in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 2.5.0 through 2.5.2 and 2.4.1 and 2.4.0 allows attacker to denial of service via crafted http requests.
** PSIRT Advisories**
FortiSandbox - Arbitrary file delete
Summary
An improper limitation of a pathname to a restricted directory (‘Path Traversal’) vulnerability [CWE-22] in FortiSandbox may allow a low privileged attacker to delete arbitrary files via crafted http requests.
Affected Products
At least
FortiSandbox version 4.4.0
FortiSandbox version 4.2.0 through 4.2.5
FortiSandbox version 4.0.0 through 4.0.3
FortiSandbox 3.2 all versions
FortiSandbox 2.5 all versions
FortiSandbox 2.4 all versions
Solutions
Please upgrade to FortiSandbox version 4.4.2 or above
Please upgrade to FortiSandbox version 4.2.6 or above
Please upgrade to FortiSandbox version 4.0.4 or above
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.
Timeline
2023-10-13: Initial publication