FortiWeb - Insufficient protections against XSS and CSRF

Summary

A protection mechanism failure [CWE-693] vulnerability in FortiWeb may allow an attacker to bypass XSS and CSRF protections.

Version Affected Solution
FortiWeb 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiWeb 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiWeb 6.4 6.4.0 through 6.4.3 Upgrade to 6.4.4 or above
FortiWeb 6.3 6.3.6 through 6.3.23 Upgrade to 6.3.24 or above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Timeline

2023-09-05: Initial publication