Fortiweb path traversal vulnerability

Summary

A path traversal vulnerability allows an administrator account with read and write privileges to read arbitrary files using the autolearn feature.

Affected Products

FortiWeb 4.4.6 to 5.5.2 with the autolearn feature configured.

Solutions

Upgrade to FortiWeb 5.5.3.
 
As a workaround the administrators privileges could be changed to read-only.

Acknowledgement

Fortinet is pleased to thanks Ewoud Vlasselaer from Dimension Data Belgium for reporting a FortiWeb vulnerability under responsible disclosure.