PSIRT Advisories

FortiPortal - Improper thread synchronization for database operations

Summary

A concurrent execution using shared resource with improper Synchronization vulnerability ('Race Condition') [CWE-362] in the customer database interface of FortiPortal may allow an authenticated, low-privilege user to bring the underlying database data into an inconsistent state via specific coordination of web requests.

Affected Products

FortiPortal version 6.0.5 and below.
FortiPortal version 5.3.6 and below.
FortiPortal version 5.2.6 and below.
FortiPortal version 5.1.2 and below.
FortiPortal version 5.0.3 and below.
FortiPortal version 4.2.2 and below.
FortiPortal version 4.1.2 and below.
FortiPortal version 4.0.2 and below.

Solutions

Upgrade to FortiPortal version 6.0.6 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.