PSIRT Advisories

FortiOS SSL VPN webportal user credentials present in plain text in client side javascript file


An information disclosure vulnerability exists in the SSL-VPN web portal of FortiOS: when pages bookmarked in the web portal use the Single sign-on (SSO) feature, the user's webportal's login and password are included in a javascript file sent client-side.
The leaked credential may potentially be captured by an attacker if additional session handling, access control or cross-site scripting vulnerabilities were to be discovered in the SSL-VPN web portal, or in the applications within (or in case of client-side vulnerabilities, in the user's browser).

Affected Products

FortiOS 6.0.0, 5.6.5 and below versions


Upgrade to FortiOS 5.6.6, 6.0.1 or newer versions


Avoid using the SSO feature in FortiOS SSL VPN bookmarks, especially if the applications inside the SSL VPN web portal are untrusted.


Fortinet is pleased to thank Stephan Neidhardt - link protect GmbH reporting this vulnerability under responsible disclosure.