Header injection in FortiWeb API


An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb API may allow an authenticated and remote attacker to inject arbitrary headers.

Version Affected Solution
FortiWeb 7.2 Not affected Not Applicable
FortiWeb 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiWeb 6.4 6.4 all versions Migrate to a fixed release
FortiWeb 6.3 6.3.6 through 6.3.23 Migrate to a fixed release


Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.