FortiWeb - Path traversal in API handler


A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an authenticated attacker to obtain unauthorized access to files and data via specifically crafted HTTP GET requests.

Affected Products

FortiWeb version 7.0.0 through 7.0.1
FortiWeb version 6.3.6 through 6.3.18
FortiWeb 6.4 all versions


Upgrade FortiWeb to version 7.0.2 and above.
Upgrade FortiWeb to version 6.3.19 and above.


Internally discovered and reported by Théo Leleu of Fortinet Product Security team.