Readonly user could execute sensitive operations


A client-side enforcement of server-side security vulnerability [CWE-602] in FortiSandbox may allow an authenticated attacker with at least read-only permission to download or upload configuration.

Version Affected Solution
FortiSandbox 4.4 4.4.0 through 4.4.4 Upgrade to 4.4.5 or above
FortiSandbox 4.2 4.2.0 through 4.2.6 Upgrade to 4.2.7 or above


Internally discovered and reported by Adham El karn of Fortinet Product Security team.


2024-05-14: Initial publication