Application Control Violation page leaks Private IP and Hostname Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-085 Final 1 1 2018-08-23T00:00:00 Current version 2018-08-23T00:00:00 2018-08-23T00:00:00 The default replacement message in FortiOS' Application Control block page reveals the private IP as well as the hostname of the FortiGate. Information disclosure FortiOS 5.6.5, 6.0.1 and below. Upgrade to 5.6.6, 6.0.2, 6.2.0 or laterWork around:All the replacement messages are configurable by the administrators. The default replacement messages are just templates. An administrator can easily change them to suit their needs. For example, remove the server/client IPs and FortiOS host names. Fortinet is pleased to thank Anandraj Amaran Security Researcher,22by7 solutions (22by7.in) reporting this vulnerability under responsible disclosure. CVE-2018-13365 5.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-085 Application Control Violation page leaks Private IP and Hostname Reference>