Arbitrary file creation by unprivileged users
Summary
A relative path traversal [CWE-23] vulnerability in FortiClientWindows may allow a local low privileged attacker to perform arbitrary file creation on the device filesystem.
Affected Products
FortiClientWindows version 7.0.0 through 7.0.7
FortiClientWindows 6.4 all versions
FortiClientWindows 6.2 all versions
FortiClientWindows 6.0 all versions
Solutions
Please upgrade to FortiClientWindows version 7.2.0 or above
Please upgrade to FortiClientWindows version 7.0.8 or above
Acknowledgement
Fortinet is pleased to thank Daniel Hulliger from Armasuisse CYD Campus for reporting this vulnerability under responsible disclosure.Timeline
2023-03-28: Initial publication