PSIRT Advisories

FortiWeb - Open redirect due to missing domain whitelisting


A URL redirection to untrusted site ('Open Redirect') [CWE-601] in FortiWeb may allow an authenticated attacker to use the device as proxy to reach any protected host via crafted HTTP requests.

Affected Products

FortiWeb version 6.0.0 through 6.0.7
FortiWeb version 6.1.0 through 6.1.2
FortiWeb version 6.2.0 through 6.2.7
FortiWeb version 6.3.0 through 6.3.15
FortiWeb version 6.4.0 through 6.4.1



Upgrade to FortiWeb version 7.0.0 and above
Upgrade to FortiWeb version 6.4.2 and above
Upgrade to FortiWeb version 6.3.16 and above


Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.