PSIRT Advisories

FortiWeb - Path traversal in API controller

Summary

Multiple relative path traversal vulnerabilities [CWE-23] in the API of FortiWeb may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

Affected Products

FortiWeb versions 6.4.1 and below.
FortiWeb versions 6.3.15 and below.
FortiWeb versions 6.2.6 and below.
FortiWeb versions 6.1.2 and below.
FortiWeb versions 6.3.15 and below.

Solutions

Upgrade to FortiWeb 7.0.0 or above.
Upgrade to FortiWeb 6.4.2 or above.
Upgrade to FortiWeb 6.3.16 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet Product Security team.