PSIRT

FortiManager Missing Function Level Control on WebUI Change Picture

Summary

An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can can edit the avatar picture of other users (including with higher privileges) with arbitrary content.

Modern browsers would however not interpret code in the context of an image, therefore XSS attacks are only feasible if the target is using a legacy browser (I.E. 6 or below).

Affected Products

FortiAnalyzer 6.0.0 and below versions.
FortiManager 6.0.0 and below versions.

Solutions

FortiAnalyzer: upgrade to 6.0.1 or higher versions
FortiManager: upgrade to 6.0.1 or higher versions

Acknowledgement

Fortinet is pleased to thank independent researcher Donato Onofri reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-18-014
Published Date	Jun 22, 2018
Severity	Low
Discovered	External
Attack Type	Authenticated
Known Exploited	No
CVSSv3 Score	0
Impact	Improper access control
CVE ID
Download	CVRF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

FortiManager Missing Function Level Control on WebUI Change Picture

Summary

Affected Products

Solutions

Acknowledgement

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

FortiManager Missing Function Level Control on WebUI Change Picture

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center