PSIRT

Insertion of sensitive information into system log

Summary

An insertion of sensitive information into log file vulnerability [CWE-532] in FortiPortal may allow an authenticated attacker with at least read-only admin permissions to view encrypted secrets via the FortiPortal System Log.

Version	Affected	Solution
FortiPortal 7.4	7.4.0	Upgrade to 7.4.1 or above
FortiPortal 7.2	7.2.0 through 7.2.5	Upgrade to 7.2.6 or above
FortiPortal 7.0	7.0.0 through 7.0.9	Upgrade to 7.0.10 or above

Workaround

Enable private-date-encryption on each device managed by FortiPortal. From the CLI of each managed device:

config system global
set private-data-encryption enable
end

Acknowledgement

Internally reported by Tim Morris from the Fortinet sales team.

Timeline

2025-05-13: Initial publication
2025-05-13: updating acknowledgement

IR Number	FG-IR-24-380
Published Date	May 13, 2025
Component	GUI
Severity	Low
Discovered	Internal
Attack Type	Authenticated
Known Exploited	No
CVSSv3 Score	2.2
Impact	Information disclosure
CVE ID
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Insertion of sensitive information into system log

Summary

Workaround

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Insertion of sensitive information into system log

Summary

Workaround

Acknowledgement

Timeline

Threat Intelligence
Center