PSIRT Advisory

FortiWeb multiple vulnerabilities


Older versions of FortiWeb are subject to three vulnerabilities:
1. OS command injection: A WebUI administrator user may run system commands when executing a report
2. Reflected XSS: A WebUI administrator user may perform a reflected XSS attack via an improperly sanitized parameter in the FortiWeb auto update service page
3. Password field with autocomplete enabled: The WebUI FTP backup page contains a password field with HTML form autocomplete enabled


XSS, OS command injection, autocomplete in html form

Affected Products

The Reflected XSS impacts FortiWeb versions between 5.0.0 and 5.3.4 included.
The OS command injection and the password field with autocomplete enabled impact all supported FortiWeb versions lower than 5.3.5.


Upgrade to FortiWeb 5.3.5 or higher.
Associate administrators to a limited access profile with none or read-only privileges for the following pages:
- Maintenance
- System Configuration
- Log & report