FortiManager - Access Control missing in P&O module assignment vulnerability

FortiManager - Access Control missing in P&O module assignment vulnerability

Summary

An improper authentication vulnerability [CWE-287] in FortiManager may allow a standard user to assign or un-assign a global policy package via a POST request to flatui/json module.

Affected Products

FortiManager 6.4.3 and below.
FortiManager 6.2.6 and below.

Solutions

Upgrade to FortiManager 7.0.0 or above.

Upgrade to FortiManager 6.4.4 or above.

Upgrade to FortiManager 6.2.7 or above.