The password configured in the FortiWeb's Web Vulnerability Scan profile is visible in cleartext.


An information disclosure vulnerability in FortiWeb's Web Vulnerability Scan profile may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.

Affected Products

FortiWeb version 6.2.3 and below. FortiWeb version 6.3.4 and below.


Please upgrade to version 6.2.4 or above. Please upgrade to version 6.3.5 or above.


Fortinet is pleased to thank Danilo Costa for reporting this vulnerability under responsible disclosure.