An access control vulnerability [CWE-284] in FortiNAC may allow a remote attacker authenticated on the administrative interface to perform unauthorized jsp calls via crafted HTTP requests.
FortiNAC version 9.4.0 through 9.4.2
FortiNAC 9.2.0 through 9.2.7
FortiNAC 9.1 all versions
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
Please upgrade to FortiNAC-F version 7.2.0 or above
Please upgrade to FortiNAC version 9.4.3 or above
Please upgrade to FortiNAC version 9.2.8 or above
AcknowledgementInternally discovered and reported by Giulia Clerici and Théo Leleu of the Fortinet Product Security team.
2023-05-09: Initial publication