FortiManager & FortiAnalyzer - Improper access control on the administrators account list

Summary

An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration.

Affected Products

FortiManager version 7.0.0.
FortiManager version 6.4.5 and below.
FortiManager version 6.2.8 and below.
FortiManager version 6.2.x.
FortiManager version 6.0.x.
FortiManager version 5.6.x.

FortiAnalyzer version 7.0.0.
FortiAnalyzer version 6.4.5 and below.
FortiAnalyzer version 6.2.8 and below.
FortiAnalyzer version 6.0.x.
FortiAnalyzer version 5.6.x.

Solutions

Please upgrade to FortiManager version 7.0.1 or above.
Please upgrade to FortiManager version 6.4.6 or above.
Please upgrade to FortiManager version 6.2.9 or above.

Please upgrade to FortiAnalyzer version 7.0.1 or above.
Please upgrade to FortiAnalyzer version 6.4.6 or above.
Please upgrade to FortiAnalyzer version 6.2.9 or above.

Acknowledgement

Fortinet is pleased to thank Clément Amic, Pierre Milioni and Adrien Peter from Synacktiv for reporting this vulnerability under responsible disclosure.