PSIRT Advisory

Multiple XSS vulnerabilities in FortiSandbox WebUI

Description

The Web User Interface of FortiSandbox version 2.0.4 and below is vulnerable to multiple reflected Cross-Site Scripting vulnerabilities.
5 potential XSS vectors were identified:
* Fortiview threats by users search filtered by serial
* Fortiview threats by users search filtered by vdom
* Export report feature in the Fortiview search page
* Screenshot download generated by the VM scan feature
* PCAP file download generated by the VM scan feature

Impact

XSS

Affected Products

FortiSandbox 2.0.4 and lower.

Solutions

Upgrade to FortiSandbox 2.1 or above.

Acknowledgement

Thanks to John Page.