A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
The vulnerability results from improper neutralization of special characters used in operating system commands (CWE-78). An attacker can supply crafted input data, which is then passed to a system command interpreter without proper sanitization. This allows injection and execution of arbitrary OS commands in the context of the vulnerable application.
An unauthenticated attacker can remotely execute arbitrary system commands on the device, leading to complete breach of confidentiality, integrity, and availability of the system (RCE).
Apply patches available from the vendor according to the references (https://fortiguard.fortinet.com/psirt/FG-IR-26-100). Until the update is applied, it is recommended to restrict network access to the FortiSandbox management interface exclusively to trusted hosts.
Fortinet FortiSandbox versions 4.4.0 through 4.4.8 inclusive
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet Fortisandbox
APPFortinet4.4.0 – 4.4.9
Related vulnerabilities
Command injection w Fortinet FortiSandbox — dostęp bez uwierzytelnienia
Brak autoryzacji w Fortinet FortiSandbox umożliwia zdalne wykonanie kodu
A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 ...
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79]...
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [C...