PSIRT Advisory

FortiManager Cross-Site WebSocket Hijacking (CSWSH)

Summary

An Insufficient Verification of Data Authenticity vulnerability in FortiManager may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.

Impact

Improper Access Control

Affected Products

FortiManager 6.2.0 to 6.2.1, 6.0.6 and below

Solutions

Upgrade to FortiManager 6.2.2 or 6.0.7

Acknowledgement

Fortinet is pleased to thank Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this issue under responsible disclosure.