Potential sensitive information can be displayed in cleartext in FortiProxy CLI window
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-20-236
Final
1
1
2021-03-02T00:00:00
Current version
2021-03-02T00:00:00
2021-03-02T00:00:00
A cleartext storage of sensitive information vulnerability in FortiProxy command line interface may allow an authenticated attacker to obtain sensitive information such as VPN user's passwords by connecting to FortiProxy CLI and executing the "diagnose sys ha checksum show" command.
Information Disclosure
FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.
Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above.
Fortinet is pleased to thank Shaun Farrow for reporting this vulnerability under responsible disclosure.
FortiProxy 2.0.0
FortiProxy 1.2.9
FortiProxy 1.2.8
FortiProxy 1.2.7
FortiProxy 1.2.6
FortiProxy 1.2.5
FortiProxy 1.2.4
FortiProxy 1.2.3
FortiProxy 1.2.2
FortiProxy 1.2.1
FortiProxy 1.2.0
FortiProxy 1.1.6
Potential sensitive information can be displayed in cleartext in FortiProxy CLI window
CVE-2020-6648
FortiProxy-2.0.0
FortiProxy-1.2.9
FortiProxy-1.2.8
FortiProxy-1.2.7
FortiProxy-1.2.6
FortiProxy-1.2.5
FortiProxy-1.2.4
FortiProxy-1.2.3
FortiProxy-1.2.2
FortiProxy-1.2.1
FortiProxy-1.2.0
FortiProxy-1.1.6
5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-20-236
Potential sensitive information can be displayed in cleartext in FortiProxy CLI window
Reference>