FortiSandbox - SQL injection in certificate downloading feature

2023-04-1100:00:00

FortiGuard Labs

www.fortiguard.com

fortisandbox

sql injection

cwe-89

linux system

http request

certificate downloading

0.001 Low

EPSS

Percentile

24.2%

JSON

An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiSandbox may allow a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.

CPENameOperatorVersion
fortisandboxeq4.2.0
fortisandboxeq4.0.2
fortisandboxeq4.0.1
fortisandboxeq4.0.0
fortisandboxeq3.2.3
fortisandboxeq3.2.2
fortisandboxeq3.2.1
fortisandboxeq3.2.0
fortisandboxeq3.1.5
fortisandboxeq3.1.4

Name	Operator	Version
fortisandbox	eq	4.2.0
fortisandbox	eq	4.0.2
fortisandbox	eq	4.0.1
fortisandbox	eq	4.0.0
fortisandbox	eq	3.2.3
fortisandbox	eq	3.2.2
fortisandbox	eq	3.2.1
fortisandbox	eq	3.2.0
fortisandbox	eq	3.1.5
fortisandbox	eq	3.1.4

Rows per page:

1-10 of 211

0.001 Low

EPSS

Percentile

24.2%

JSON

Related for FG-IR-22-060