FortiWeb - Confused deputy issue on SERVER_NAME causes open proxy flaw


An unintended proxy or intermediary ('Confused Deputy') [CWE-441] in FortiWeb may allow an authenticated attacker to use the device as proxy to reach any protected host via crafted HTTP requests.

Affected Products

FortiWeb version 6.0.0 through 6.0.7
FortiWeb version 6.1.0 through 6.1.2
FortiWeb version 6.2.0 through 6.2.7
FortiWeb version 6.3.0 through 6.3.15
FortiWeb version 6.4.0 through 6.4.1



Upgrade to FortiWeb version 7.0.0 and above
Upgrade to FortiWeb version 6.4.2 and above
Upgrade to FortiWeb version 6.3.16 and above


Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.