PSIRT Advisory

FortiWeb Cross-Site Request Forgery Vulnerability

Description

Multiple CSRF vulnerabilities exist in the FortiWeb web administration console due to lack of CSRF token protection. This could allow remote attackers to perform administrative actions under specific conditions.

Impact

Authorization Bypass

Affected Products

FortiWeb 5.1.x and lower.

Solutions

Upgrade to FortiWeb 5.2.0 or higher.

Acknowledgement

This vulnerability was separately reported by both William Costa and Enrique Nissim.