FortiSandbox - Pervarsive SQL Injection

Summary

Instances of SQL Injection vulnerabilities in FortiSandbox's checksum search and MTA-quarantine modules may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests.

Affected Products

FortiSandbox version 3.2.2 and earlier.
FortiSandbox version 3.1.4 and earlier.

Solutions

Upgrade to FortiSandbox version 3.2.2 or later.
Upgrade to FortiSandbox version 3.1.5 or later.

Acknowledgement

Discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

Timeline

2021-08-03: Initial publication