FortiSandbox - Unauthorized user able to download the device configuration file.

Summary

An improper access control vulnerability (CWE-284) in FortiSandbox may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.

Affected Products

FortiSandbox version 3.2.1 and below.
FortiSandbox version 3.1.4 and below.

Solutions

Please upgrade to FortiSandbox version 4.0.0 or above.
Please upgrade to FortiSandbox version 3.2.2 or above
Please upgrade to FortiSandbox version 3.1.5 or above

Acknowledgement

Fortinet is pleased to thank Danilo Costa for reporting this vulnerability under responsible disclosure.