Improper inter ADOM access control
Summary
An improper access control vulnerability [CWE-284] in FortiManager management interface may allow a remote and authenticated attacker with at least "device management" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMs
Affected Products
FortiManager version 7.2.0 through 7.2.2
FortiManager version 7.0.0 through 7.0.7
FortiManager version 6.4.0 through 6.4.11
FortiManager 6.2 all versions
FortiManager 6.0 all versions
Solutions
Please upgrade to FortiManager version 7.4.0 or above
Please upgrade to FortiManager version 7.2.3 or above
Please upgrade to FortiManager version 7.0.8 or above
Please upgrade to FortiManager version 6.4.12 or above
Acknowledgement
Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.Timeline
2023-10-10: Initial publication