The password configured in the FortiWeb's Web Vulnerability Scan profile is visible in cleartext.

Summary

An information disclosure vulnerability in FortiWeb's Web Vulnerability Scan profile may allow a remote authenticated attacker to read the password used by the FortiWeb scanner to access the device defined in the scan profile.

Affected Products

FortiWeb version 6.2.3 and below. FortiWeb version 6.3.4 and below.

Solutions

Please upgrade to version 6.2.4 or above. Please upgrade to version 6.3.5 or above.

Acknowledgement

Fortinet is pleased to thank Danilo Costa for reporting this vulnerability under responsible disclosure.