ID

VAR-202312-1696


CVE

CVE-2023-41844


TITLE

fortinet's  FortiSandbox  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-020029

DESCRIPTION

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests in capture traffic endpoint. fortinet's FortiSandbox Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from the American company Fortinet. The appliance offers features such as dual sandboxing technology, a dynamic threat intelligence system, real-time dashboards and reporting

Trust: 2.16

sources: NVD: CVE-2023-41844 // JVNDB: JVNDB-2023-020029 // CNVD: CNVD-2024-09278

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-09278

AFFECTED PRODUCTS

vendor:fortinetmodel:fortisandboxscope:eqversion:4.4.0

Trust: 1.6

vendor:fortinetmodel:fortisandboxscope:eqversion:4.4.1

Trust: 1.6

vendor:fortinetmodel:fortisandboxscope:eqversion:4.4.2

Trust: 1.6

vendor:fortinetmodel:fortisandboxscope:lteversion:3.0.7

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:3.0.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:lteversion:4.2.5

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:4.0.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:lteversion:3.1.5

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:3.1.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:4.2.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:lteversion:3.2.4

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:gteversion:3.2.0

Trust: 1.0

vendor:fortinetmodel:fortisandboxscope:lteversion:4.0.4

Trust: 1.0

vendor:フォーティネットmodel:fortisandboxscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortisandboxscope: - version: -

Trust: 0.8

vendor:fortinetmodel:fortisandboxscope:gteversion:3.1.0,<=3.1.5

Trust: 0.6

vendor:fortinetmodel:fortisandboxscope:gteversion:3.2.0,<=3.2.4

Trust: 0.6

vendor:fortinetmodel:fortisandboxscope:gteversion:3.0.0,<=3.0.7

Trust: 0.6

vendor:fortinetmodel:fortisandboxscope:gteversion:4.2.0,<=4.2.5

Trust: 0.6

vendor:fortinetmodel:fortisandboxscope:gteversion:4.0.0,<=4.0.4

Trust: 0.6

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-41844
value: MEDIUM

Trust: 1.0

psirt@fortinet.com: CVE-2023-41844
value: LOW

Trust: 1.0

NVD: CVE-2023-41844
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2024-09278
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2024-09278
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-41844
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

psirt@fortinet.com: CVE-2023-41844
baseSeverity: LOW
baseScore: 3.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 1.4
version: 3.1

Trust: 1.0

NVD: CVE-2023-41844
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844 // NVD: CVE-2023-41844

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

PATCH

title:FG-IR-23-214url:https://www.fortiguard.com/psirt/FG-IR-23-214

Trust: 0.8

title:Patch for Fortinet FortiSandbox cross-site scripting vulnerability (CNVD-2024-0927851)url:https://www.cnvd.org.cn/patchInfo/show/526066

Trust: 0.6

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029

EXTERNAL IDS

db:NVDid:CVE-2023-41844

Trust: 3.2

db:JVNDBid:JVNDB-2023-020029

Trust: 0.8

db:CNVDid:CNVD-2024-09278

Trust: 0.6

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2023-41844

Trust: 1.4

url:https://fortiguard.com/psirt/fg-ir-23-214

Trust: 1.0

sources: CNVD: CNVD-2024-09278 // JVNDB: JVNDB-2023-020029 // NVD: CVE-2023-41844

SOURCES

db:CNVDid:CNVD-2024-09278
db:JVNDBid:JVNDB-2023-020029
db:NVDid:CVE-2023-41844

LAST UPDATE DATE

2024-08-14T13:52:01.169000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-09278date:2024-02-21T00:00:00
db:JVNDBid:JVNDB-2023-020029date:2024-01-15T07:49:00
db:NVDid:CVE-2023-41844date:2023-12-15T19:34:33.480

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-09278date:2024-02-09T00:00:00
db:JVNDBid:JVNDB-2023-020029date:2024-01-15T00:00:00
db:NVDid:CVE-2023-41844date:2023-12-13T07:15:18.887