CVE-2020-15939 — Incorrect Authorization in Fortinet Fortisandbox

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortisandbox Fortinet Fortisandbox

Timeline

PublishedSep 6

Latest updateMay 24

Description

An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allow an authenticated, unprivileged attacker to download the device configuration file via the recovery URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDfortinet/fortisandbox3.2.0 — 3.2.2+1

▶CVEListV5fortinet/fortinet_fortisandboxFortiSandbox 3.2.1, 3.1.4

🔴Vulnerability Details

GHSA

GHSA-v8wg-346x-j7mw: An improper access control vulnerability (CWE-284) in FortiSandbox versions 3↗2022-05-24

▶

CVEList

CVE-2020-15939: An improper access control vulnerability (CWE-284) in FortiSandbox versions 3↗2021-09-06

▶

📋Vendor Advisories

Fortinet

An improper access control vulnerability (CWE-284) in FortiSandbox versions 3.2.1 and below and 3.1.4 and below may allo...↗2021-09-06

▶