FortiPortal - Path traversal in controller
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-085
Final
1
1
2021-08-03T00:00:00
Current version
2021-08-03T00:00:00
2021-08-03T00:00:00
A protection mechanism failure vulnerability (CWE-693) resulting in improperly limiting pathname to a restricted directory in FortiPortal may allow an authenticated attacker to perform a path traversal attack via maliciously crafted GET parameters.
Information disclosure
FortiPortal versions 5.2.5 and below. FortiPortal versions 5.3.5 and below. FortiPortal versions 6.0.4 and below.
Please upgrade to FortiPortal version 5.2.6 or above. Please upgrade to FortiPortal version 5.3.6 or above. Please upgrade to FortiPortal version 6.0.5 or above.
Fortinet is pleased to thank Ben Knight for reporting this issue under responsible disclosure.
FortiPortal 6.0.4
FortiPortal 6.0.3
FortiPortal 6.0.2
FortiPortal 6.0.1
FortiPortal 6.0.0
FortiPortal 5.3.5
FortiPortal 5.3.4
FortiPortal 5.3.3
FortiPortal 5.3.2
FortiPortal 5.3.1
FortiPortal 5.3.0
FortiPortal 5.2.5
FortiPortal 5.2.4
FortiPortal 5.2.3
FortiPortal 5.2.2
FortiPortal 5.2.1
FortiPortal 5.2.0
FortiPortal 5.1.2
FortiPortal 5.1.1
FortiPortal 5.1.0
FortiPortal 5.0.3
FortiPortal 5.0.2
FortiPortal 5.0.1
FortiPortal 5.0.0
FortiPortal 4.2.2
FortiPortal 4.2.1
FortiPortal 4.1.2
FortiPortal 4.1.1
FortiPortal 4.1.0
FortiPortal 4.0.4
FortiPortal 4.0.3
FortiPortal 4.0.2
FortiPortal 4.0.1
FortiPortal 4.0.0
FortiPortal - Path traversal in controller
CVE-2021-36168
FortiPortal-6.0.4
FortiPortal-6.0.3
FortiPortal-6.0.2
FortiPortal-6.0.1
FortiPortal-6.0.0
FortiPortal-5.3.5
FortiPortal-5.3.4
FortiPortal-5.3.3
FortiPortal-5.3.2
FortiPortal-5.3.1
FortiPortal-5.3.0
FortiPortal-5.2.5
FortiPortal-5.2.4
FortiPortal-5.2.3
FortiPortal-5.2.2
FortiPortal-5.2.1
FortiPortal-5.2.0
FortiPortal-5.1.2
FortiPortal-5.1.1
FortiPortal-5.1.0
FortiPortal-5.0.3
FortiPortal-5.0.2
FortiPortal-5.0.1
FortiPortal-5.0.0
FortiPortal-4.2.2
FortiPortal-4.2.1
FortiPortal-4.1.2
FortiPortal-4.1.1
FortiPortal-4.1.0
FortiPortal-4.0.4
FortiPortal-4.0.3
FortiPortal-4.0.2
FortiPortal-4.0.1
FortiPortal-4.0.0
6.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:X/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-085
FortiPortal - Path traversal in controller
Reference>