FortiOS DoS on webUI through 'params' JSON parameter


An authenticated user may pass a specially crafted payload to the 'params' parameter of the JSON web API (URLs with /json) , which can cause the web user interface to be temporarily unresponsive.

Affected Products

FortiOS 5.4.0 to 5.4.5
Versions below 5.4.0 are not affected.


Upgrade to FortiOS 5.4.6 or above.


Fortinet is pleased to thank Cody ( ) for reporting this vulnerability under responsible disclosure