FortiWeb - arbitrary file/directory deletion

Summary

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.

Affected Products

FortiWeb 6.4.1 and below.
FortiWeb 6.3.15 and below.
FortiWeb 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x.

Solutions

Please upgrade to FortiWeb 6.4.2 or above.
Please upgrade to FortiWeb 6.3.16 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.