Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
E
F
RL
O
RC
Changed
Affected products
- fortinet / fortisandbox4.4.8 β 4.4.8
- fortinet / fortisandbox4.4.7 β 4.4.7
- fortinet / fortisandbox4.4.6 β 4.4.6
- fortinet / fortisandbox4.4.5 β 4.4.5
- fortinet / fortisandbox4.4.4 β 4.4.4
- fortinet / fortisandbox4.4.3 β 4.4.3
- fortinet / fortisandbox4.4.2 β 4.4.2
- fortinet / fortisandbox4.4.1 β 4.4.1
- fortinet / fortisandbox4.4.0 β 4.4.0
- fortinet / fortisandboxpaas23.4.4374 β 23.4.4374
- fortinet / fortisandboxpaas23.4.4350 β 23.4.4350
- fortinet / fortisandboxpaas23.3.4329 β 23.3.4329
- fortinet / fortisandboxpaas23.1.4245 β 23.1.4245
- fortinet / fortisandboxpaas22.2.4151 β 22.2.4151
- fortinet / fortisandboxpaas22.2.4134 β 22.2.4134
- fortinet / fortisandboxpaas22.1.4113 β 22.1.4113
- fortinet / fortisandboxpaas21.4.4072 β 21.4.4072
- fortinet / fortisandboxpaas21.3.4055 β 21.3.4055
Exploits & PoCs
- nucleiFortinet FortiSandbox - Command Injectionby DhiyaneshDk
References
- VENDOR_ADVISORYhttps://fortiguard.fortinet.com/psirt/FG-IR-26-100