FortiOS -- Read-Only users able to modify the Interface fields using the API

Summary

An improper access control [CWE-284] vulnerability in FortiOS may allow a remote authenticated read-only user to modify the interface settings via the API.

Affected Products

FortiOS version 7.2.0
FortiOS version 7.0.0 through 7.0.7
FortiOS 6.4 all versions

FortiSwitchManager version 7.2.0 through 7.2.1
FortiSwitchManager version 7.0.0 through 7.0.1

Solutions

Please upgrade to FortiOS version 7.2.1 or above
Please upgrade to FortiOS version 7.0.8 or above
Please upgrade to FortiSwitchManager version 7.2.2 or above
Please upgrade to FortiSwitchManager version 7.0.2 or above

Acknowledgement

Fortinet is pleased to thank Alexis La Goutte for reporting this vulnerability under responsible disclosure