PSIRT Advisories

Multiple XSS vulnerabilities in FortiSandbox WebUI

description-logo Description

The Web User Interface of FortiSandbox version 2.0.4 and below is vulnerable to multiple reflected Cross-Site Scripting vulnerabilities.
5 potential XSS vectors were identified:
* Fortiview threats by users search filtered by serial
* Fortiview threats by users search filtered by vdom
* Export report feature in the Fortiview search page
* Screenshot download generated by the VM scan feature
* PCAP file download generated by the VM scan feature

Impact Detail

A remote unauthenticated attacker may be able to execute arbitrary code in the security context of an authenticated user's browser session.

Affected Products

FortiSandbox 2.0.4 and lower.

Solutions

Upgrade to FortiSandbox 2.1 or above.

Acknowledgement

Thanks to John Page.