CVE-2021-26097

{"id": "CVE-2021-26097", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "psirt@fortinet.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-08-04T16:15:08.287", "references": [{"url": "https://fortiguard.com/advisory/FG-IR-20-198", "tags": ["Vendor Advisory"], "source": "psirt@fortinet.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests."}, {"lang": "es", "value": "Una neutralizaci\u00f3n inapropiada de los elementos especiales usados en una vulnerabilidad de comandos del Sistema Operativo en FortiSandbox versiones 3.2.0 hasta 3.2.2, versiones 3.1.0 hasta 3.1.4, y versiones 3.0.0 hasta 3.0.6, puede permitir a un atacante autenticado con acceso a la interfaz gr\u00e1fica de usuario web ejecutar c\u00f3digo o comandos no autorizados por medio de peticiones HTTP espec\u00edficamente dise\u00f1adas"}], "lastModified": "2021-08-10T23:37:41.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79D21450-0045-4366-8AE2-305E84862DFD", "versionEndExcluding": "3.0.7"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA2F5BDA-37D4-4D3D-9143-FAC893546A4A", "versionEndExcluding": "3.1.5", "versionStartIncluding": "3.1.0"}, {"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F485DCE0-8055-418B-A91D-F9D647F3BFD3", "versionEndExcluding": "3.2.3", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@fortinet.com"}