OS command injection on endpoint

Summary

Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

Version Affected Solution
FortiSandbox 4.4 4.4.0 through 4.4.3 Upgrade to 4.4.4 or above
FortiSandbox 4.2 4.2.0 through 4.2.6 Upgrade to 4.2.7 or above
FortiSandbox 4.0 4.0.0 through 4.0.4 Upgrade to 4.0.5 or above

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2024-04-09: Initial publication