PSIRT Advisories

FortiSandbox - Session ID does not expire after logout


An insufficient session expiration vulnerability [CWE-613] in FortiSandbox may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Affected Products

FortiSandbox versions 3.2.1 and below.


Please upgrade to FortiSandbox version 3.2.2 or above.
Please upgrade to FortiSandbox version 4.0.0.
1. Disable HTTP and enable HTTPS to prevent intercepting the token over the network.
2. Clear the browser cache/cookies after logging out to prevent the token from being available on the local PC.


Fortinet is pleased to thank Danilo Costa for reporting this vulnerability under responsible disclosure