FortiAnalyzer and FortiManager admin user avatar setting improper access control
Summary
An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can edit the avatar picture of other users (including with higher privileges) with arbitrary content.
Modern browsers would however not interpret code in the context of an image, therefore XSS attacks are only feasible if the target is using a legacy browser (I.E. 6 or below).
Affected Products
FortiAnalyzer 6.0.0 and below versions.FortiManager 6.0.0 and below versions.
Solutions
FortiAnalyzer: upgrade to 6.0.1 or higher versions FortiManager: upgrade to 6.0.1 or higher versionsAcknowledgement
Fortinet is pleased to thank independent researcher Donato Onofri reporting this vulnerability under responsible disclosure.