FortiAnalyzer & FortiManager - improper authorization to template image

Summary

An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI may allow an unauthenticated

and remote attacker to access report template images via referencing the name in the URL path.

Affected Products

FortiManager version 7.0.0 through 7.0.3 FortiManager 6.4 all versions FortiManager 6.2 all versions FortiManager 6.0 all versions FortiManager 5.6 all versions

FortiAnalyzer version 7.0.0 through 7.0.3 FortiAnalyzer 6.4 all versions FortiAnalyzer 6.2 all versions FortiAnalyzer 6.0 all versions FortiAnalyzer 5.6 all versions

Solutions

Please upgrade to FortiAnalyzer version 7.0.4 or above Please upgrade to FortiAnalyzer version 7.2.0 or above Please upgrade to FortiManager version 7.0.4 or above. Please upgrade to FortiManager version 7.2.0 or above.

Acknowledgement

Fortinet is pleased to thank Alaa A. Bukhari for reporting this vulnerability under responsible disclosure