FortiWeb - Unauthorized Configuration Download Vulnerability

Summary

An unauthorized configuration download vulnerability [CWE-285] in FortiWeb may allow a local attacker to access confidential configuration files via a crafted http request.

Affected Products

FortiWeb version 7.0.0 through 7.0.4
FortiWeb version 6.4.0 through 6.4.2
FortiWeb version 6.3.6 through 6.3.21

Solutions

Please upgrade to FortiWeb version 7.0.5 or above.
Please upgrade to FortiWeb version 7.2.0 or above.

Acknowledgement

Internally discovered and reported by Yonghui Han of Fortinet IPS team.