PSIRT Advisories

FortiWeb - Relative path traversal in web API


A path traversal vulnerability [CWE-23] in the API of FortiWeb may allow a unauthenticated attacker to retrieve specific parts of files from the underlying file system via specially crafted web requests.

Affected Products

At least
FortiWeb version 7.0.0 through 7.0.1
FortiWeb version 6.3.0 through 6.3.19
FortiWeb 6.4 all versions
FortiWeb 6.2 all versions
FortiWeb 6.1 all versions
FortiWeb 6.0 all versions


Please upgrade to FortiWeb version 7.0.2 or above
Please upgrade to FortiWeb version 6.3.20 or above


Internally discovered and reported by Théo Leleu of Fortinet Product Security team.