Client IP relies on X-Forwarded-For and other headers


A Use Of Less Trusted Source [CWE-348] vulnerability in FortiPortal may allow an unauthenticated attack to bypass IP protection through crafted HTTP or HTTPS packets.

Version Affected Solution
FortiPortal 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiPortal 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above


Internally discovered and reported by Théo Leleu of Fortinet Product Security team.


2024-05-14: Initial publication