Unauthorized user able to download the device configuration file Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-071 Final 1 1 2021-08-03T00:00:00 Current version 2021-08-03T00:00:00 2021-08-03T00:00:00 An improper access control vulnerability (CWE-284) in FortiSandbox may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL. None Improper access control FortiSandbox version 3.2.1 and below.FortiSandbox version 3.1.4 and below. Please upgrade to FortiSandbox version 4.0.0 or above.Please upgrade to FortiSandbox version 3.2.2 or abovePlease upgrade to FortiSandbox version 3.1.5 or above Fortinet is pleased to thank Danilo Costa for reporting this vulnerability under responsible disclosure. CVE-2020-15939 4.2 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-20-071 Unauthorized user able to download the device configuration file Reference>