FortiManager Cross-Site WebSocket Hijacking (CSWSH)
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-19-191
Final
1
1
2020-02-13T00:00:00
Current version
2020-02-13T00:00:00
2020-02-13T00:00:00
An Insufficient Verification of Data Authenticity vulnerability in FortiManager may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.
Improper Access Control
FortiManager 6.2.0 to 6.2.1, 6.0.6 and earlier
Upgrade to FortiManager 6.2.2 or 6.0.7
Fortinet is pleased to thank Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this issue under responsible disclosure.
FortiManager 6.2.1
FortiManager 6.2.0
FortiManager 6.0.6
FortiManager 6.0.5
FortiManager 6.0.4
FortiManager 6.0.3
FortiManager 6.0.2
FortiManager 6.0.1
FortiManager 6.0.0
FortiManager 5.6.11
FortiManager 5.6.10
FortiManager 5.6.9
FortiManager 5.6.8
FortiManager 5.6.7
FortiManager 5.6.6
FortiManager 5.6.5
FortiManager 5.6.4
FortiManager 5.6.3
FortiManager 5.6.2
FortiManager 5.6.1
FortiManager 5.6.0
FortiManager Cross-Site WebSocket Hijacking (CSWSH)
CVE-2019-17654
FortiManager-6.2.1
FortiManager-6.2.0
FortiManager-6.0.6
FortiManager-6.0.5
FortiManager-6.0.4
FortiManager-6.0.3
FortiManager-6.0.2
FortiManager-6.0.1
FortiManager-6.0.0
FortiManager-5.6.11
FortiManager-5.6.10
FortiManager-5.6.9
FortiManager-5.6.8
FortiManager-5.6.7
FortiManager-5.6.6
FortiManager-5.6.5
FortiManager-5.6.4
FortiManager-5.6.3
FortiManager-5.6.2
FortiManager-5.6.1
FortiManager-5.6.0
5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-19-191
FortiManager Cross-Site WebSocket Hijacking (CSWSH)
Reference>