FortiWeb - Heap-based buffer overflows in API controller


Multiple heap-based buffer overflow vulnerabilities [CWE-122] in web API controllers of FortiWeb may allow a remote authenticated attacker to execute arbitrary code or commands via specifically crafted HTTP requests.

Affected Products

FortiWeb 6.4.1 and below.
FortiWeb 6.3.15 and below.


Upgrade to FortiWeb version 6.4.2 or above.
Upgrade to FortiWeb version 6.3.16 or above.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.