IR Number FG-IR-18-173
Date Jun 1, 2020
Severity light-circle-logo light-circle-logo light-circle-logo light-circle-logo light-circle-logo Informational
Impact Information Disclosure
CVE ID CVE-2018-13367
Affected Products
FortiOS : 6.2.3, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.14, 6.0.13, 6.0.12, 6.0.11, 6.0.10, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0
CVRF Download
Language

PSIRT Advisories

FortiOS reveals platform information without authentication

Summary

An information exposure vulnerability in FortiOS WEB UI may allow an unauthenticated attacker to gain platform information such as version, via parsing a JavaScript file.

Affected Products

FortiOS 6.2.3, 6.2.0 and below

Solutions

Upgrade to FortiOS 6.2.1, 6.2.2, 6.2.4 or above


Revision History:
2019-08-08 Initial Version
2020-06-01 Issue reintroduced on 6.2.3 and addressed in 6.2.4 and 6.4.0

Acknowledgement

Fortinet is pleased to thank Alp Hisim of Biznet Bilisim (www.biznet.com.tr) and an independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure.