PSIRT Advisory

FortiManager Unencrypted Password Vulnerability

Summary

A cleartext transmission of sensitive information vulnerability in FortiManager may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses.

Impact

Information disclosure

Affected Products

FortiManager 5.2.0 to 5.2.7, 5.4.0 and 5.4.1

Solutions

Upgrade to 5.2.8 or above.
Upgrade to 5.4.2 or above.

Acknowledgement

Fortinet thanks Pavel German for reporting this vulnerability.