virus logo PSIRT

logged in SSLVPN user can retrieve firewall objects

Summary

A SSL VPN user logged in via the web portal can access internal FortiOS configuration information (eg: addresses) via specifically crafted URLs.

Affected Products

FortiOS 5.6.0 to 5.6.2
FortiOS 5.4.0 to 5.4.8
FortiOS 5.2 branch all versions

Solutions

Upgrade to FortiOS 5.6.3 or 5.4.9 or newer versions.

Acknowledgement

Fortinet is pleased to thank Fox-IT (https://www.fox-it.com) reporting this vulnerability under responsible disclosure.
IR Number FG-IR-17-231
Published Date May 18, 2018
Component SSL-VPN
Severity Medium
CVSSv3 Score 4.9
Impact Information disclosure
CVE ID
Download

CVRF