Able to retrieve (fweb_all.js) without authentication


An information exposure vulnerability in FortiOS Web UI may allow an unauthenticated attacker to gain platform information such as version, via parsing a JavaScript file.

Affected Products

FortiOS 6.2.3, 6.2.0 and below


Upgrade to FortiOS 6.2.1, 6.2.2, 6.2.4 or above
Revision History:
2019-08-08 Initial Version
2020-06-01 Issue reintroduced on 6.2.3 and addressed in 6.2.4 and 6.4.0


Fortinet is pleased to thank Alp Hisim of Biznet Bilisim ( and an independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure.