CVE-2024-27778 — OS Command Injection in Fortinet Fortisandbox

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 33.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortisandbox

Timeline

PublishedJan 14

Description

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.5 through 3.0.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortisandbox3.0.5 — 4.0.5+2

▶CVEListV5fortinet/fortisandbox4.4.0 — 4.4.4+5

🔴Vulnerability Details

GHSA

GHSA-q35w-cr5p-7qc3: An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in Fortinet FortiSandbox version 4↗2025-01-14

▶

CVEList

CVE-2024-27778: An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4↗2025-01-14

▶

📋Vendor Advisories

Fortinet

OS command injection↗2025-01-14

▶