PSIRT Advisories

FortiWeb - header injection in FortiWeb API


An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability [CWE-113] In FortiWeb API may allow an authenticated and remote attacker to inject arbitrary headers.

Affected Products

FortiWeb version 7.0.0 through 7.0.2
FortiWeb version 6.4.0 through 6.4.2
FortiWeb version 6.3.6 through 6.3.20


Please upgrade to FortiWeb version 7.2.0 or above
Please upgrade to FortiWeb version 7.0.3 or above


Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.