Arbitrary file delete on endpoint
Summary
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow an authenticated attacker with at least read-only permission to delete arbitrary files via crafted HTTP requests.
Version | Affected | Solution |
---|---|---|
FortiSandbox 4.4 | 4.4.0 through 4.4.3 | Upgrade to 4.4.4 or above |
FortiSandbox 4.2 | 4.2.0 through 4.2.6 | Upgrade to 4.2.7 or above |
FortiSandbox 4.0 | 4.0.0 through 4.0.4 | Upgrade to 4.0.5 or above |
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.Timeline
2024-04-09: Initial publication