PSIRT Advisory

FortiSandbox reflected XSS in the file scan component

Summary

A reflected Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiSandbox may allow an attacker to execute unauthorized code or commands via the back_url parameter in the file scan component.

Impact

Execute unauthorized code or commands

Affected Products

FortiSandbox 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2

Solutions

Upgrade to 3.0.0 or above.

Acknowledgement

Fortinet thanks Yasar Calay, Beyaz Bilgisayar Danmanlk, Hizmetleri Ltd.ti. for reporting this vulnerability.