FortiPortal - Use of a predictable salt and digest-based algorithm for password hashing


A use of one-way hash with a predictable salt (CWE-760) vulnerability in the password storing mechanism of FortiPortal may allow an attacker already in possession of the password store to decrypt the passwords by means of precomputed tables.

Affected Products

FortiPortal 6.0.4 and below.


Upgrade to FortiPortal 6.0.5 or above.


Discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.