Arbitrary file delete on endpoint


An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow an authenticated attacker with at least read-only permission to delete arbitrary files via crafted HTTP requests.

Version Affected Solution
FortiSandbox 4.4 4.4.0 through 4.4.3 Upgrade to 4.4.4 or above
FortiSandbox 4.2 4.2.0 through 4.2.6 Upgrade to 4.2.7 or above
FortiSandbox 4.0 4.0.0 through 4.0.4 Upgrade to 4.0.5 or above


Internally discovered and reported by Adham El karn of Fortinet Product Security team.


2024-04-09: Initial publication