FortiSandbox - Command injection impacting CLI command
Summary
An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to execute arbitrary code via CLI.
Version | Affected | Solution |
---|---|---|
FortiSandbox 4.4 | 4.4.0 through 4.4.2 | Upgrade to 4.4.3 or above |
FortiSandbox 4.2 | 4.2.0 through 4.2.6 | Upgrade to 4.2.7 or above |
FortiSandbox 4.0 | 4.0 all versions | Migrate to a fixed release |
FortiSandbox 3.2 | 3.2 all versions | Migrate to a fixed release |
FortiSandbox 3.0 | 3.0.5 through 3.0.7 | Migrate to a fixed release |
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.Timeline
2024-04-09: Initial publication