An exposure of sensitive information to an unauthorized actor vulnerabiltiy [CWE-200] in FortiClient for Mac may allow a local authenticated attacker to obtain the SSL-VPN password in cleartext via running a logstream for the FortiTray process in the terminal.
|7.0.0 through 7.0.5
|Upgrade to 7.0.6 or above
AcknowledgementFortinet is pleased to thank Pavel Bondarenko for reporting this vulnerability under responsible disclosure.
- Disable "Save Password" setting either on FortiGate SSLVPN settings or in FortiClientMAC