An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSandbox may allow a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.
FortiSandbox version 4.2.0
FortiSandbox version 4.0.0 through 4.0.2
FortiSandbox version 3.2.0 through 3.2.3
FortiSandbox version 3.0.1 through 3.0.7
FortiSandbox 3.1 all versions
Please upgrade to FortiSandbox version 4.2.1 or above
Please upgrade to FortiSandbox version 4.0.3 or above
Please upgrade to FortiSandbox version 3.2.4 or above
AcknowledgementInternally discovered and reported by Théo Leleu of Fortinet Product Security team.
2023-03-21: Initial publication