FortiAnalyzer and FortiManager admin user avatar setting improper access control
An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can edit the avatar picture of other users (including with higher privileges) with arbitrary content.
Modern browsers would however not interpret code in the context of an image, therefore XSS attacks are only feasible if the target is using a legacy browser (I.E. 6 or below).
Improper Access Control
FortiAnalyzer 6.0.0, 5.6.5 and below versions.
FortiManager 6.0.0, 5.6.5 and below versions.
FortiAnalyzer: upgrade to 5.6.6, 6.0.1 or higher versions
FortiManager: upgrade to 5.6.6, 6.0.1 or higher versions
Fortinet is pleased to thank independent researcher Donato Onofri reporting this vulnerability under responsible disclosure.