FortiManager & FortiAnalyzer - Improper privilege management on API requests

Summary

An improper privilege management vulnerability [CWE-269] in FortiManager and FortiAnalyzer API may allow a remote and authenticated API admin user to access some system settings such as the mail server settings through the API via a stolen GUI session ID.

Version Affected Solution
FortiAnalyzer 7.4 Not affected Upgrade to 7.4.0 or above
FortiAnalyzer 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiAnalyzer 7.0 7.0.0 through 7.0.7 Upgrade to 7.0.8 or above
FortiAnalyzer 6.4 6.4.0 through 6.4.11 Upgrade to 6.4.12 or above
FortiAnalyzer 6.2 6.2 all versions Migrate to a fixed release
FortiAnalyzer 6.0 6.0 all versions Migrate to a fixed release
FortiManager 7.4 Not affected Upgrade to 7.4.0 or above
FortiManager 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiManager 7.0 7.0.0 through 7.0.7 Upgrade to 7.0.8 or above
FortiManager 6.4 6.4.0 through 6.4.11 Upgrade to 6.4.12 or above
FortiManager 6.2 6.2 all versions Migrate to a fixed release
FortiManager 6.0 6.0 all versions Migrate to a fixed release

Timeline

2023-09-01: Initial publication