CVE-2023-41836

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-23-215	Patch Third Party Advisory
https://fortiguard.com/psirt/FG-IR-23-215	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox:4.4.0:::::::*

History

21 Nov 2024, 08:21

Type	Values Removed	Values Added
References	~~() https://fortiguard.com/psirt/FG-IR-23-215 - Patch, Third Party Advisory~~	() https://fortiguard.com/psirt/FG-IR-23-215 - Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.1~~	v2 : unknown v3 : 3.5

16 Oct 2023, 16:07

Type	Values Removed	Values Added
First Time		Fortinet Fortinet fortisandbox
CPE		cpe:2.3:a:fortinet:fortisandbox:::::::: cpe:2.3:a:fortinet:fortisandbox:4.4.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
References	~~(MISC) https://fortiguard.com/psirt/FG-IR-23-215 -~~	(MISC) https://fortiguard.com/psirt/FG-IR-23-215 - Patch, Third Party Advisory
CWE		CWE-79

13 Oct 2023, 15:20

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-13 15:15

Updated : 2024-11-21 08:21

NVD link : CVE-2023-41836

Mitre link : CVE-2023-41836

CVE.ORG link : CVE-2023-41836

JSON object : View

Products Affected

fortinet

fortisandbox

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-41836", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-10-13T15:15:44.183", "references": [{"url": "https://fortiguard.com/psirt/FG-IR-23-215", "tags": ["Patch", "Third Party Advisory"], "source": "psirt@fortinet.com"}, {"url": "https://fortiguard.com/psirt/FG-IR-23-215", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@fortinet.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests."}, {"lang": "es", "value": "Una neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de la p\u00e1gina web (\"cross-site scripting\") en Fortinet FortiSandbox versi\u00f3n 4.4.0 y 4.2.0 a 4.2.4, y 4.0.0 a 4.0.4 y 3.2.0 a 3.2.4 y Las versiones 3.1.0 a 3.1.5 y 3.0.4 a 3.0.7 permiten a un atacante ejecutar c\u00f3digo o comandos no autorizados a trav\u00e9s de solicitudes HTTP manipuladas."}], "lastModified": "2024-11-21T08:21:46.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71C81F0A-7F0D-4C8E-A17A-E252EDF34283", "versionEndIncluding": "3.0.7", "versionStartIncluding": "3.0.4"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C47A3DB-A02A-488D-B0E1-867A19CE43B8", "versionEndIncluding": "3.1.5", "versionStartIncluding": "3.1.0"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16BB4915-1330-45E5-887E-AD97C29F500B", "versionEndIncluding": "3.2.4", "versionStartIncluding": "3.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5197A546-B82E-4407-9CC4-8DF4C4323605", "versionEndIncluding": "4.0.4", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34072229-3DBA-4317-8BB0-41A657A52C70", "versionEndIncluding": "4.2.4", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0CD764B6-2235-4C06-8A0C-AF5889B027F7"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}