Reflected Cross Site Scripting (XSS) on the "file ondemand" rendering endpoint
Summary
An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.
Version | Affected | Solution |
---|---|---|
FortiSandbox 4.4 | 4.4.0 through 4.4.1 | Upgrade to 4.4.2 or above |
FortiSandbox 4.2 | 4.2.0 through 4.2.5 | Upgrade to 4.2.6 or above |
FortiSandbox 4.0 | 4.0.0 through 4.0.3 | Upgrade to 4.0.4 or above |
FortiSandbox 3.2 | 3.2 all versions | Migrate to a fixed release |
FortiSandbox 3.1 | 3.1 all versions | Migrate to a fixed release |
FortiSandbox 3.0 | 3.0 all versions | Migrate to a fixed release |
FortiSandbox 2.5 | 2.5 all versions | Migrate to a fixed release |
FortiSandbox 2.4 | 2.4.1 | Migrate to a fixed release |
Acknowledgement
Fortinet is pleased to thank security researcher Sander Van der Borght (@Sander__VdB_) for discovering and reporting this vulnerability under responsible disclosure.Timeline
2023-10-13: Initial publication