Cleartext storage of sensitive information in FortiADC

#VU48131 Cleartext storage of sensitive information in FortiADC

Published: 2020-11-03

Vulnerability identifier: #VU48131

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15935

CWE-ID: CWE-312

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FortiADC
Server applications / Other server solutions

Vendor: Fortinet, Inc

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to GUI in FortiADC may allow information disclosure. A remote authenticated user can obtain sensitive information, such as users LDAP passwords and RADIUS shared secret, by deobfuscating the passwords entry fields.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FortiADC: 6.0.0, 5.4.0 - 5.4.3

External links
http://fortiguard.com/psirt/FG-IR-20-044

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Fortinet FortiADC