=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN417

_____________________________________________________________________

DATE                : 19/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiSandbox versions
                              prior to 4.4.2, 4.0.4.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-23-280
https://fortiguard.fortinet.com/psirt/FG-IR-23-311
https://fortiguard.fortinet.com/psirt/FG-IR-23-273
https://fortiguard.fortinet.com/psirt/FG-IR-23-215
_____________________________________________________________________

FortiSandbox - Arbitrary file delete

IR Number    : FG-IR-23-280
Date         : Oct 13, 2023
Severity     : High
CVSSv3 Score : 7.9
Impact       : Denial of service
CVE ID       : CVE-2023-41682
Affected Products:     FortiSandbox:     4.4.0, 4.2.5, 4.2.4, 4.2.3, 
4.2.2, 4.2.1, 4.2.0, 4.0.3, 4.0.2, 4.0.1,
     4.0.0, 3.2.4, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.5, 3.1.4, 3.1.3, 3.1.2,
     3.1.1, 3.1.0, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0,
     2.5.2, 2.5.1, 2.5.0, 2.4.1, 2.4.0


Summary

An improper limitation of a pathname to a restricted directory ('Path
Traversal') vulnerability [CWE-22] in FortiSandbox may allow a low
privileged attacker to delete arbitrary files via crafted http
requests.


Affected Products

At least
FortiSandbox version 4.4.0
FortiSandbox version 4.2.0 through 4.2.5
FortiSandbox version 4.0.0 through 4.0.3
FortiSandbox 3.2 all versions
FortiSandbox 2.5 all versions
FortiSandbox 2.4 all versions


Solutions

Please upgrade to FortiSandbox version 4.4.2 or above
Please upgrade to FortiSandbox version 4.2.6 or above
Please upgrade to FortiSandbox version 4.0.4 or above


Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product
Security team.


Timeline

2023-10-13: Initial publication

_____________________________________________________________________

FortiSandbox - XSS on delete endpoint

IR Number    : FG-IR-23-311
Date         : Oct 13, 2023
Component    : GUI
Severity     : High
CVSSv3 Score : 7.3
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2023-41680
Affected Products:     FortiSandbox:     4.4.1, 4.4.0, 4.2.5, 4.2.4, 
4.2.3, 4.2.2, 4.2.1, 4.2.0, 4.0.3, 4.0.2,
     4.0.1, 4.0.0, 3.2.4, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.5, 3.1.4, 3.1.3,
     3.1.2, 3.1.1, 3.1.0, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1,
     3.0.0, 2.5.2, 2.5.1, 2.5.0, 2.4.1


Summary

Multiple improper neutralization of input during web page generation
('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may
allow an authenticated attacker to perform a cross-site scripting
attack via crafted HTTP requests.

     Version           Affected                Solution
FortiSandbox 4.4 4.4.0 through 4.4.1 Upgrade to 4.4.2 or above
FortiSandbox 4.2 4.2.0 through 4.2.5 Upgrade to 4.4.2 or above
FortiSandbox 4.0 4.0.0 through 4.0.3 Upgrade to 4.0.4 or above
FortiSandbox 3.2 3.2 all versions    Migrate to a fixed release
FortiSandbox 3.1 3.1 all versions    Migrate to a fixed release
FortiSandbox 3.0 3.0 all versions    Migrate to a fixed release
FortiSandbox 2.5 2.5 all versions    Migrate to a fixed release
FortiSandbox 2.4 2.4.1               Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://
docs.fortinet.com/upgrade-tool


Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet Product
Security team.


Timeline

2023-10-13: Initial publication

_____________________________________________________________________

FortiSandbox -  Reflected Cross Site Scripting (XSS) on the "file
ondemand" rendering endpoint


IR Number    : FG-IR-23-273
Date         : Oct 13, 2023
Component    : GUI
Severity     : High
CVSSv3 Score : 7.3
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2023-41843
Affected Products:     FortiSandbox:     4.4.1, 4.4.0, 4.2.5, 4.2.4, 
4.2.3, 4.2.2, 4.2.1, 4.2.0, 4.0.3, 4.0.2,
     4.0.1, 4.0.0, 3.2.4, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.5, 3.1.4, 3.1.3,
     3.1.2, 3.1.1, 3.1.0, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1,
     3.0.0, 2.5.2, 2.5.1, 2.5.0, 2.4.1


Summary

An improper neutralization of input during web page generation ('Cross-site
Scripting') vulnerability [CWE-79] in FortiSandbox may allow an
authenticated attacker to perform a cross-site scripting attack
via crafted HTTP requests.

     Version           Affected                Solution
FortiSandbox 4.4 4.4.0 through 4.4.1 Upgrade to 4.4.2 or above
FortiSandbox 4.2 4.2.0 through 4.2.5 Upgrade to 4.4.2 or above
FortiSandbox 4.0 4.0.0 through 4.0.3 Upgrade to 4.0.4 or above
FortiSandbox 3.2 3.2 all versions    Migrate to a fixed release
FortiSandbox 3.1 3.1 all versions    Migrate to a fixed release
FortiSandbox 3.0 3.0 all versions    Migrate to a fixed release
FortiSandbox 2.5 2.5 all versions    Migrate to a fixed release
FortiSandbox 2.4 2.4.1               Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://
docs.fortinet.com/upgrade-tool


Acknowledgement

Fortinet is pleased to thank security researcher Sander Van der Borght
(@Sander__VdB_) for discovering and reporting this vulnerability under
responsible disclosure.


Timeline

2023-10-13: Initial publication


_____________________________________________________________________


FortiSandbox - Reflected Cross Site Scripting (XSS) on download
progress endpoint

IR Number    : FG-IR-23-215
Date         : Oct 13, 2023
Component    : GUI
Severity     : Low
CVSSv3 Score : 3.4
Impact       : Execute unauthorized code or commands
CVE ID       : CVE-2023-41836
Affected Products:     FortiSandbox:     4.4.0, 4.2.4, 4.2.3, 4.2.2, 
4.2.1, 4.2.0, 4.0.4, 4.0.3, 4.0.2, 4.0.1,
     4.0.0, 3.2.4, 3.2.3, 3.2.2, 3.2.1, 3.2.0, 3.1.5, 3.1.4, 3.1.3, 3.1.2,
     3.1.1, 3.1.0, 3.0.7, 3.0.6, 3.0.5, 3.0.4


Summary

An improper neutralization of input during web page generation
('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox may
allow an authenticated attacker to perform a cross-site scripting
attack via crafted HTTP requests.

     Version           Affected                Solution
FortiSandbox 4.4 4.4.0               Upgrade to 4.4.2 or above
FortiSandbox 4.2 4.2.0 through 4.2.4 Upgrade to 4.4.2 or above
FortiSandbox 4.0 4.0 all versions    Migrate to a fixed release
FortiSandbox 3.2 3.2 all versions    Migrate to a fixed release
FortiSandbox 3.1 3.1 all versions    Migrate to a fixed release
FortiSandbox 3.0 3.0.4 through 3.0.7

Follow the recommended upgrade path using our tool at: https://
docs.fortinet.com/upgrade-tool


Acknowledgement

Internally discovered and reported by Adham El karn of Fortinet
Product Security team.


Timeline

2023-10-13: Initial publication

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================