FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint

Summary

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version Affected Solution
FortiSandbox 4.4 4.4.0 Upgrade to 4.4.2 or above
FortiSandbox 4.2 4.2.0 through 4.2.4 Upgrade to 4.4.2 or above
FortiSandbox 4.0 4.0 all versions Migrate to a fixed release
FortiSandbox 3.2 3.2 all versions Migrate to a fixed release
FortiSandbox 3.1 3.1 all versions Migrate to a fixed release
FortiSandbox 3.0 3.0.4 through 3.0.7

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2023-10-13: Initial publication