FortiADC & FortiDDoS-F - CORS: arbitrary origin trusted

Summary

A permissive cross-domain policy with untrusted domains (CWE-942) vulnerability in the API of FortiADC / FortiDDoS-F may allow an unauthorized attacker to carry out privileged actions and retrieve sensitive information via crafted web requests.

Version Affected Solution
FortiDDoS-F 6.5 Not affected Upgrade to 6.5.0 or above
FortiDDoS-F 6.4 6.4.0 through 6.4.1 Upgrade to 6.4.2 or above
FortiDDoS-F 6.3 6.3 all versions Migrate to a fixed release
FortiADC 7.2 Not affected Upgrade to 7.2.0 or above
FortiADC 7.1 7.1.0 through 7.1.1 Upgrade to 7.1.2 or above

Timeline

2023-10-17: Initial publication