Headline
CVE-2023-45587: Fortiguard
An improper neutralization of input during web page generation (‘cross-site scripting’) in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 allows attacker to execute unauthorized code or commands via crafted HTTP requests
FortiSandbox - Reflected Cross Site Scripting (XSS) on download PDF report endpoint
Summary
An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
Version
Affected
Solution
FortiSandbox 4.4
4.4.0 through 4.4.2
Upgrade to 4.4.3 or above
FortiSandbox 4.2
4.2 all versions
Migrate to a fixed release
FortiSandbox 4.0
4.0 all versions
Migrate to a fixed release
FortiSandbox 3.2
3.2 all versions
Migrate to a fixed release
FortiSandbox 3.1
3.1 all versions
Migrate to a fixed release
Acknowledgement
Internally discovered and reported by Giulia Clerici and Adham El karn of Fortinet Product Security team.