FortiWeb - arbitrary file/directory deletion


An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.

Affected Products

FortiWeb 6.4.1 and below.
FortiWeb 6.3.15 and below.
FortiWeb 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x.


Please upgrade to FortiWeb 6.4.2 or above.
Please upgrade to FortiWeb 6.3.16 or above.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.