A server-side request forgery vulnerability [CWE-918] in FortiAnalyzer and FortiManager may allow a remote attacker with low privileges to view sensitive data from internal servers or perform a local port scan via a crafted HTTP request.
|FortiAnalyzer 7.4||7.4.0||Upgrade to 7.4.1 or above|
|FortiAnalyzer 7.2||7.2.0 through 7.2.3||Upgrade to 7.2.4 or above|
|FortiAnalyzer 7.0||7.0.2 through 7.0.8||Upgrade to 7.0.9 or above|
|FortiAnalyzer 6.4||6.4.8 through 6.4.13|
|FortiManager 7.4||7.4.0||Upgrade to 7.4.1 or above|
|FortiManager 7.2||7.2.0 through 7.2.3||Upgrade to 7.2.4 or above|
|FortiManager 7.0||7.0.0 through 7.0.8||Upgrade to 7.0.9 or above|
AcknowledgementFortinet is pleased to thank security researchers Mickael Dorigny at Orange Cyberdéfense, Frédéric Prevost, François-Xavier Picard and Orange CERT-CC at Orange group for discovering and reporting this vulnerability under responsible disclosure.
2023-10-10: Initial publication