PSIRT

Users passwords are retrievable in the UI

Summary

A cleartext storage of sensitive information in the GUI of FortiADC, FortiSIEM, FortiDDoS, FortiDDoS-CM and FortiDDoS-F may allow a remote authenticated attacker to retrieve some sensitive information such as users LDAP passwords, RADIUS shared secret and the Elastic Cloud database password by deobfuscating the passwords entry fields.

Affected Products

FortiADC versions 6.0.0.
FortiADC versions 5.x upto 5.4.3
FortiSIEM versions 6.2.x, 6.1.x, 6.x
FortiDDoS versions 5.4.x, 5.3.x, 5.2.x, 5.1.x, 5.0.x
FortiDDoS-F versions 6.1.x, 6.0.x

Solutions

Please upgrade to FortiADC versions 5.4.4 or above.
Please upgrade to FortiADC versions 6.0.1 or above.
Please upgrade to FortiSIEM 6.3.0 or above.
Please upgrade to FortiDDoS 5.5.0 or above.
Please upgrade to FortiDDoS-F 6.2.0 or above.

Acknowledgement

Fortinet is pleased to thank Harish Chowdary for reporting this vulnerability under responsible disclosure.

Timeline

2021-11-02: Initial publication

IR Number	FG-IR-20-044
Published Date	Nov 2, 2021
Component	GUI
Severity	Medium
CVSSv3 Score	4.2
Impact	Information disclosure
CVE ID
Download	CVRF
Language

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Users passwords are retrievable in the UI

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Users passwords are retrievable in the UI

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Threat Intelligence
Center