Avivnix

**Name of the Vulnerable Software and Affected Versions** Fortinet FortiWeb versions 7.0 through 7.6 Fortinet FortiWeb versions 7.6.3 and below Fortinet FortiWeb versions 7.4.7 and below Fortinet FortiWeb versions 7.2.10 and below Fortinet FortiWeb versions 7.0.10 and below **Description** An improper handling of parameters in Fortinet FortiWeb allows an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain administrative privileges. The issue stems from an out-of-bounds read during cookie parsing, enabling attackers to forge authentication cookies and bypass authentication. Exploitation involves manipulating the 'Era' cookie parameter to force the server to use a predictable secret key for session encryption and HMAC signing. Successful exploitation allows an attacker to impersonate any user, including administrators, via the `/api/v2.0/system/status.systemstatus` endpoint and potentially gain access to the command-line interface via `/ws/cli/open`. Active exploitation of this issue has been observed, with attackers originating from multiple IP addresses. There are reports of widespread attacks exploiting this vulnerability. **Recommendations** Update to FortiWeb version 7.6.4 or later. Update to FortiWeb version 7.4.8 or later. Update to FortiWeb version 7.2.11 or later. Update to FortiWeb version 7.0.11 or later.