virus logo PSIRT

FortiWeb - Path traversal in API controller

Summary

A relative path traversal vulnerability [CWE-23] in the API of FortiWeb may allow an authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

Version Affected Solution
FortiWeb 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above
FortiWeb 6.4 6.4 all versions Migrate to a fixed release
FortiWeb 6.3 6.3.6 through 6.3.20 Upgrade to 6.3.21 or above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of the Fortinet Product Security team.
IR Number FG-IR-22-251
Date Feb 16, 2023
Component GUI
Severity Medium
CVSSv3 Score 5.6
Impact Information disclosure
CVE ID CVE-2023-23784
CVRF Download