FortiSandbox - XSS on delete endpoint

Summary

Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version Affected Solution
FortiSandbox 4.4 4.4.0 through 4.4.1 Upgrade to 4.4.2 or above
FortiSandbox 4.2 4.2.0 through 4.2.5 Upgrade to 4.2.6 or above
FortiSandbox 4.0 4.0.0 through 4.0.3 Upgrade to 4.0.4 or above
FortiSandbox 3.2 3.2 all versions Migrate to a fixed release
FortiSandbox 3.1 3.1 all versions Migrate to a fixed release
FortiSandbox 3.0 3.0 all versions Migrate to a fixed release
FortiSandbox 2.5 2.5 all versions Migrate to a fixed release
FortiSandbox 2.4 2.4.1 Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

Timeline

2023-10-13: Initial publication