Improper inter ADOM access control

Summary

An improper access control vulnerability [CWE-284] in FortiManager management interface may allow a remote and authenticated attacker with at least "device management" permission on his profile and belonging to a specific ADOM to add and delete CLI script on other ADOMs

Affected Products

FortiManager version 7.2.0 through 7.2.2
FortiManager version 7.0.0 through 7.0.7
FortiManager version 6.4.0 through 6.4.11
FortiManager 6.2 all versions
FortiManager 6.0 all versions

Solutions

Please upgrade to FortiManager version 7.4.0 or above
Please upgrade to FortiManager version 7.2.3 or above
Please upgrade to FortiManager version 7.0.8 or above
Please upgrade to FortiManager version 6.4.12 or above

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.

Timeline

2023-10-10: Initial publication