Path traversal vulnerability in administrative interface


An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability [CWE-22] in FortiVoice may allow an authenticated attacker to read arbitrary files from the system via sending crafted HTTP or HTTPS requests

Version Affected Solution
FortiVoice 7.0 7.0.0 Upgrade to 7.0.1 or above
FortiVoice 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiVoice 6.0 6.0 all versions Migrate to a fixed release


Internally discovered and reported by Hritik Sateesh from Fortinet's Burnaby Infosec team.


2024-01-02: Initial publication