An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSandbox may allow a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.
Affected ProductsAt least
FortiSandbox version 4.2.0
FortiSandbox version 4.0.0 through 4.0.2
FortiSandbox version 3.2.0 through 3.2.3
FortiSandbox version 3.0.1 through 3.0.7
FortiSandbox 3.1 all versions
SolutionsPlease upgrade to FortiSandbox version 4.2.1 or above
Please upgrade to FortiSandbox version 4.0.3 or above
Please upgrade to FortiSandbox version 3.2.4 or above
AcknowledgementInternally discovered and reported by ThÃ©o Leleu of Fortinet Product Security team.
2023-03-21: Initial publication