FortiAnalyzer and FortiManager admin user avatar setting improper access control

Summary

An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can edit the avatar picture of other users (including with higher privileges) with arbitrary content.

Modern browsers would however not interpret code in the context of an image, therefore XSS attacks are only feasible if the target is using a legacy browser (I.E. 6 or below).

Affected Products

FortiAnalyzer 6.0.0 and below versions.
FortiManager 6.0.0 and below versions.

Solutions

FortiAnalyzer: upgrade to 6.0.1 or higher versions FortiManager: upgrade to 6.0.1 or higher versions

Acknowledgement

Fortinet is pleased to thank independent researcher Donato Onofri reporting this vulnerability under responsible disclosure.