FortiAnalyzer -- the log-fetch client request password is shown in clear text in the heartbeat response

Summary

An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiAnalyzer may allow a remote authenticated attacker to read the client machine password in plain text in a heartbeat response when a log-fetch request is made from the FortiAnalyzer

Version Affected Solution
FortiAnalyzer 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiAnalyzer 7.0 7.0.0 through 7.0.4 Upgrade to 7.0.5 or above
FortiAnalyzer 6.4 6.4.0 through 6.4.10 Upgrade to 6.4.11 or above