FortiWeb - Open redirect in redir handler due to direct input interpolation


An URL redirection to untrusted site ('Open Redirect') [CWE-601] vulnerability in FortiWeb may allow an authenticated attacker to use the device as a proxy and reach external or protected hosts via redirection handlers.

Affected Products

FortiWeb version 6.2.0 through 6.2.7
FortiWeb version 6.3.0 through 6.3.15
FortiWeb version 6.4.0 through 6.4.1



Upgrade to FortiWeb version 7.0.0 or above

Upgrade to FortiWeb version 6.4.2 or above

Upgrade to FortiWeb version 6.3.16 or above


Internally discovered and reported by Mattia Fecit of Fortinet Product Security Team