Details of VAR-202312-1696

ID

VAR-202312-1696

CVE

CVE-2023-41844

TITLE

fortinet's FortiSandbox Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-020029

DESCRIPTION

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint. fortinet's FortiSandbox Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from the American company Fortinet. The appliance offers features such as dual sandboxing technology, a dynamic threat intelligence system, real-time dashboards and reporting

Trust: 2.16

sources: NVD: CVE-2023-41844 // JVNDB: JVNDB-2023-020029 // CNVD: CNVD-2024-09278

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-09278

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	eq	version:	4.4.0	Trust: 1.6
vendor:	fortinet	model:	fortisandbox	scope:	eq	version:	4.4.1	Trust: 1.6
vendor:	fortinet	model:	fortisandbox	scope:	eq	version:	4.4.2	Trust: 1.6
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	3.0.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	4.2.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	3.1.5	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.1.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	3.2.4	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lte	version:	4.0.4	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	-	version:	-	Trust: 0.8
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.1.0,<=3.1.5	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.2.0,<=3.2.4	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.0,<=3.0.7	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0,<=4.2.5	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0,<=4.0.4	Trust: 0.6

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-41844
value:	MEDIUM
Trust: 1.0
psirt@fortinet.com:	CVE-2023-41844
value:	LOW
Trust: 1.0
NVD:	CVE-2023-41844
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2024-09278
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-09278
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-41844
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
psirt@fortinet.com:	CVE-2023-41844
baseSeverity:	LOW
baseScore:	3.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.1
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2023-41844
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844 // NVD: CVE-2023-41844

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

PATCH

title:	FG-IR-23-214	url:	https://www.fortiguard.com/psirt/FG-IR-23-214	Trust: 0.8
title:	Patch for Fortinet FortiSandbox cross-site scripting vulnerability (CNVD-2024-0927851)	url:	https://www.cnvd.org.cn/patchInfo/show/526066	Trust: 0.6

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029

EXTERNAL IDS

db:	NVD	id:	CVE-2023-41844	Trust: 3.2
db:	JVNDB	id:	JVNDB-2023-020029	Trust: 0.8
db:	CNVD	id:	CNVD-2024-09278	Trust: 0.6

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2023-41844	Trust: 1.4
url:	https://fortiguard.com/psirt/fg-ir-23-214	Trust: 1.0

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

SOURCES

db:	CNVD	id:	CNVD-2024-09278
db:	JVNDB	id:	JVNDB-2023-020029
db:	NVD	id:	CVE-2023-41844

LAST UPDATE DATE

2024-08-14T13:52:01.169000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-09278	date:	2024-02-21T00:00:00
db:	JVNDB	id:	JVNDB-2023-020029	date:	2024-01-15T07:49:00
db:	NVD	id:	CVE-2023-41844	date:	2023-12-15T19:34:33.480

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-09278	date:	2024-02-09T00:00:00
db:	JVNDB	id:	JVNDB-2023-020029	date:	2024-01-15T00:00:00
db:	NVD	id:	CVE-2023-41844	date:	2023-12-13T07:15:18.887