PSIRTerror based SQLI on device del feature
Summary
An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSandbox may allow a privileged attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
| Version | Affected | Solution |
|---|---|---|
| FortiSandbox 5.0 | Not affected | Not Applicable |
| FortiSandbox 4.4 | 4.4.0 through 4.4.6 | Upgrade to 4.4.7 or above |
| FortiSandbox 4.2 | 4.2 all versions | Migrate to a fixed release |
| FortiSandbox 4.0 | 4.0 all versions | Migrate to a fixed release |
| FortiSandbox 3.2 | 3.2 all versions | Migrate to a fixed release |
| FortiSandbox 3.1 | 3.1 all versions | Migrate to a fixed release |
| FortiSandbox 3.0 | 3.0 all versions | Migrate to a fixed release |
| FortiSandbox Cloud 24 | 24.1 | Fortinet remediated this issue in 24.2 (not released) and hence customers do not need to perform any action. |
| FortiSandbox Cloud 23 | Not affected | Not Applicable |
Fortinet in Q1/25 has remediated this issue in FortiSandbox Cloud version 24.2 and hence the customers need not perform any action.
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.Timeline
2025-03-11: Initial publication2025-05-07: Clarify fix information for FortiSandbox Cloud product