Vulnerabilities > Fortinet > Fortisandbox > 3.1.1

DATE CVE VULNERABILITY TITLE RISK
2023-04-11 CVE-2022-27485 SQL Injection vulnerability in Fortinet Fortisandbox
A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.
network
low complexity
fortinet CWE-89
6.5
2023-04-11 CVE-2022-27487 Improper Privilege Management vulnerability in Fortinet Fortideceptor and Fortisandbox
A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.
network
low complexity
fortinet CWE-269
8.8
2022-12-06 CVE-2022-30305 Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortideceptor and Fortisandbox
An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.
network
low complexity
fortinet CWE-307
7.5
2022-04-06 CVE-2020-29013 Improper Input Validation vulnerability in Fortinet Fortisandbox
An improper input validation vulnerability in the sniffer interface of FortiSandbox before 3.2.2 may allow an authenticated attacker to silently halt the sniffer via specifically crafted requests.
network
low complexity
fortinet CWE-20
5.4
2021-09-08 CVE-2020-29012 Insufficient Session Expiration vulnerability in Fortinet Fortisandbox
An insufficient session expiration vulnerability in FortiSandbox versions 3.2.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
network
low complexity
fortinet CWE-613
5.3
2021-09-06 CVE-2020-15939 Unspecified vulnerability in Fortinet Fortisandbox
An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.
network
low complexity
fortinet
4.3
2021-08-04 CVE-2021-22124 Resource Exhaustion vulnerability in Fortinet Fortiauthenticator and Fortisandbox
An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator before 6.0.6 may allow an unauthenticated attacker to bring the device into an unresponsive state via specifically-crafted long request parameters.
network
low complexity
fortinet CWE-400
7.5
2021-08-04 CVE-2021-24014 Cross-site Scripting vulnerability in Fortinet Fortisandbox
Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters.
network
low complexity
fortinet CWE-79
6.1
2021-08-04 CVE-2021-26096 Out-of-bounds Write vulnerability in Fortinet Fortisandbox
Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenticated attacker to manipulate memory and alter its content by means of specifically crafted command line arguments.
network
low complexity
fortinet CWE-787
8.8
2021-08-04 CVE-2020-29011 SQL Injection vulnerability in Fortinet Fortisandbox
Instances of SQL Injection vulnerabilities in the checksum search and MTA-quarantine modules of FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests.
network
low complexity
fortinet CWE-89
8.8