PSIRT Advisories

FortiSandbox - Multiple path traversals

Summary

Improper limitation of a pathname to a restricted directory (CWE-22) vulnerabilities in FortiSandbox may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests.

Affected Products

FortiSandbox 3.2.2 and below.
FortiSandbox 3.1.4 and below.

Solutions

Upgrade to FortiSandbox version 4.0.0 or above.

Upgrade to FortiSandbox version 3.2.3 or above.

Upgrade to FortiSandbox version 3.1.5 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.