Headline
CVE-2023-46713: Fortiguard
An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application.
FortiWeb - Log injection
Summary
An improper output neutralization for logs vulnerability [CWE-117] in FortiWeb Traffic Log component may allow an attacker to forge traffic logs via a crafted URL of the web application.
Version
Affected
Solution
FortiWeb 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiWeb 7.2
7.2.0 through 7.2.5
Upgrade to 7.2.6 or above
FortiWeb 7.0
7.0 all versions
Migrate to a fixed release
FortiWeb 6.3
6.3 all versions
Migrate to a fixed release
FortiWeb 6.2
6.2 all versions
Migrate to a fixed release
Acknowledgement
Fortinet is pleased to thank AMAL ADJADJI for reporting this vulnerability under responsible disclosure.