PSIRT Advisories

FortiSandbox - Improper password storage mechanism


A use of password hash with insufficient computational effort vulnerability [CWE-916] in FortiSandbox may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords.

Affected Products

FortiSandbox version 4.0.0 through 4.0.2
FortiSandbox version 3.2.0 through 3.2.3


Upgrade to FortiSandbox version 4.2.0 and above.


Internally discovered by Giuseppe Cocomazzi.