Readonly user could execute sensitive operations
Summary
A client-side enforcement of server-side security vulnerability [CWE-602] in FortiSandbox may allow an authenticated attacker with at least read-only permission to download or upload configuration.
Version | Affected | Solution |
---|---|---|
FortiSandbox 4.4 | 4.4.0 through 4.4.4 | Upgrade to 4.4.5 or above |
FortiSandbox 4.2 | 4.2.0 through 4.2.6 | Upgrade to 4.2.7 or above |
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.Timeline
2024-05-14: Initial publication