CVE-2021-26097

An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests.

Published: Aug 4, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-26097
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
fortinet / fortisandbox	3.2.0	3.2.3
fortinet / fortisandbox	3.1.0	3.1.5
fortinet / fortisandbox	-	3.0.7

https://fortiguard.com/advisory/FG-IR-20-198

Vulnerability Database

289,871

CVE-2021-26097