PSIRT

Able to retrieve (fweb_all.js) without authentication

Summary

An information exposure vulnerability in FortiOS Web UI may allow an unauthenticated attacker to gain platform information such as version, via parsing a JavaScript file.

Affected Products

FortiOS 6.2.3, 6.2.0 and below

Solutions

Upgrade to FortiOS 6.2.1, 6.2.2, 6.2.4 or above
Revision History:
2019-08-08 Initial Version
2020-06-01 Issue reintroduced on 6.2.3 and addressed in 6.2.4 and 6.4.0

Acknowledgement

Fortinet is pleased to thank Alp Hisim of Biznet Bilisim (www.biznet.com.tr) and an independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-18-173
Published Date	Jun 1, 2020
Severity	Medium
CVSSv3 Score	5.2
Impact	Information disclosure
CVE ID
Download	CVRF
Language

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Able to retrieve (fweb_all.js) without authentication

Summary

Affected Products

Solutions

Acknowledgement

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Able to retrieve (fweb_all.js) without authentication

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center