PT-2021-7459 · Fortinet · Fortisandbox
Published
2021-08-03
·
Updated
2021-08-10
·
CVE-2021-26097
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FortiSandbox versions 3.0.0 through 3.0.6
FortiSandbox versions 3.1.0 through 3.1.4
FortiSandbox versions 3.2.0 through 3.2.2
Description
The issue is related to the improper neutralization of special elements used in an OS command, which can be exploited by sending specially crafted HTTP requests to the web interface. This could allow a remote attacker to execute arbitrary commands.
Recommendations
For FortiSandbox versions 3.0.0 through 3.0.6, update to a version that includes a fix for this issue.
For FortiSandbox versions 3.1.0 through 3.1.4, update to a version that includes a fix for this issue.
For FortiSandbox versions 3.2.0 through 3.2.2, update to a version that includes a fix for this issue.
As a temporary workaround, consider restricting access to the web GUI to minimize the risk of exploitation.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortisandbox