Path traversal in controller Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-085 Final 1 1 2021-08-03T00:00:00 Current version 2021-08-03T00:00:00 2021-08-03T00:00:00 A protection mechanism failure vulnerability (CWE-693) resulting in improperly limiting pathname to a restricted directory in FortiPortal may allow an authenticated attacker to perform a path traversal attack via maliciously crafted GET parameters. Information disclosure FortiPortal versions 5.2.5 and below.FortiPortal versions 5.3.5 and below.FortiPortal versions 6.0.4 and below. Please upgrade to FortiPortal version 5.2.6 or above.Please upgrade to FortiPortal version 5.3.6 or above.Please upgrade to FortiPortal version 6.0.5 or above. Fortinet is pleased to thank Ben Knight for reporting this issue under responsible disclosure. CVE-2021-36168 6.2 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-085 Path traversal in controller Reference>