Account creation outside initial IdP
Summary
An improper privilege management vulnerability [CWE-269] in FortiPortal may allow a remote and authenticated attacker to add users outside its initial Idp
Affected Products
FortiPortal version 7.2.0 through 7.2.1
FortiPortal version 7.0.0 through 7.0.6
Solutions
Please upgrade to FortiPortal version 7.2.2
Please upgrade to FortiPortal version 7.0.7
Acknowledgement
Internally discovered and reported by Gary Chung of Fortinet Burnaby FortiPortal team.Timeline
2023-12-19: Initial publication