FortiWeb - Unauthorized Configuration Download Vulnerability


An unauthorized configuration download vulnerability [CWE-285] in FortiWeb may allow a local attacker to access confidential configuration files via a crafted http request.

Affected Products

FortiWeb version 7.0.0 through 7.0.4
FortiWeb version 6.4.0 through 6.4.2
FortiWeb version 6.3.6 through 6.3.21


Please upgrade to FortiWeb version 7.0.5 or above.
Please upgrade to FortiWeb version 7.2.0 or above.


Internally discovered and reported by Yonghui Han of Fortinet IPS team.