Read-only admins can obtain LDAP credentials configured in FortiGate using LDAP test connectivity feature
Fortigate's read-only admins are able to point a LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate.
Improper Access Control
FortiOS 6.0.2 and before
Upgrade to FortiOS 6.0.3 or upcoming 6.2.0
Fortinet is pleased to thank Julio Engels Ureña Martinez for reporting this vulnerability under responsible disclosure.