PSIRT Advisory

FortiAnalyzer, FortiManager Open Redirect Vulnerability

Summary

The FortiAnalyzer and FortiManager WebUI accept a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Impact

Open redirect

Affected Products

  • FortiAnalyzer versions 5.4.0 to 5.4.2,
  • FortiManager versions 5.4.0 to 5.4.2.


Preceding versions of FortiAnalyzer and FortiManager are not impacted

Solutions

For FortiAnalyzer:

  • Upgrade to version 5.4.3


For FortiManager:

  • Upgrade to version 5.4.3

Acknowledgement

Fortinet is pleased to thank

  • Ronan Dunne of Biocompatibles UK Ltd, and
  • Babar Khan Akhunzada of SecurityWall.co & Khyber Pakhtunkhwa Govt Data Center
for reporting this vulnerability under responsible disclosure.