PSIRT Advisories
FortiProxy - Unauthenticated SSL VPN users password modification
Summary
An improper access control vulnerability in FortiProxy SSL VPN web portal may allow an unauthenticated and remote attacker to change local SSL-VPN users' passwords via specially crafted HTTP requests.
Affected Products
FortiProxy version 2.0.0FortiProxy versions 1.2.8 and below.
FortiProxy versions 1.1.6 and below.
FortiProxy versions 1.0.7 and below.
Solutions
Please upgrade to FortiProxy versions 1.2.9 or above. Please upgrade to FortiProxy versions 2.0.1 or above.