An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow a low privileged attacker to delete arbitrary files via crafted http requests.
Affected ProductsAt least
FortiSandbox version 4.4.0
FortiSandbox version 4.2.0 through 4.2.5
FortiSandbox version 4.0.0 through 4.0.3
FortiSandbox 3.2 all versions
FortiSandbox 3.1 all versions
FortiSandbox 3.0 all versions
FortiSandbox 2.5 all versions
FortiSandbox 2.4 all versions
SolutionsPlease upgrade to FortiSandbox version 4.4.2 or above
Please upgrade to FortiSandbox version 4.2.6 or above
Please upgrade to FortiSandbox version 4.0.4 or above
AcknowledgementInternally discovered and reported by Adham El karn of Fortinet Product Security team.
2023-10-13: Initial publication