Insecure Installation Folder
Summary
An incorrect default permissions [CWE-276] vulnerability in FortiClient (Windows) and FortiConverter (Windows) may allow a local authenticated attacker to tamper with files in the installation folder, if FortiClient or FortiConvreter is installed in an insecure folder.
Affected Products
FortiClientWindows version 7.0.0 through 7.0.6
FortiClientWindows version 6.4.0 through 6.4.8
FortiConverter version 7.0.0
FortiConverter 6.2 all versions
FortiConverter 6.0 all versions
Solutions
Please upgrade to FortiClientWindows version 7.0.7 or above
Please upgrade to FortiClientWindows version 6.4.9 or above
Please upgrade to FortiConverter version 7.0.1 or above
Please upgrade to FortiConverter version 6.2.2 or above
Acknowledgement
Fortinet is pleased to thank Konrad Haase from Control Gap for reporting this vulnerability under responsible disclosure.Timeline
2023-05-23: Initial publication