PSIRT Advisories

FortiSDNConnector - Credential leak

Summary

An insufficiently protected credentials vulnerability [CWE-522] in FortiSDNConnector may allow an authenticated user to obtain third party device credentials via visiting the configuration page in the WebUI.

Affected Products

FortiSDNConnector version 1.1.7 or below

Solutions

Upgrade to FortiSDNConnector version 1.1.8 or above.

Acknowledgement

Internally discovered and reported by Luca Pizziniaco of the Fortinet TAC team