FortiManager / FortiAnalyzer - Unprivileged user can access web console and run some unauthorized commands

Summary

A client-side enforcement of server-side security [CWE-602] vulnerability in FortiManager and FortiAnalyzer may allow a remote attacker with low privileges to access a privileged web console via client side code execution.

Version Affected Solution
FortiAnalyzer 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiAnalyzer 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiAnalyzer 7.0 7.0.0 through 7.0.9 Upgrade to 7.0.10 or above
FortiAnalyzer 6.4 6.4 all versions Migrate to a fixed release
FortiAnalyzer 6.2 6.2 all versions Migrate to a fixed release
FortiAnalyzer-BigData 7.4 Not affected Not Applicable
FortiAnalyzer-BigData 7.2 7.2.0 through 7.2.5 Upgrade to 7.2.6 or above
FortiAnalyzer-BigData 7.0 7.0 all versions Migrate to a fixed release
FortiManager 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiManager 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiManager 7.0 7.0.0 through 7.0.9 Upgrade to 7.0.10 or above
FortiManager 6.4 6.4 all versions Migrate to a fixed release
FortiManager 6.2 6.2 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank security researchers Mickael Dorigny at Orange Cyberdéfense, Hélène Saliou, Frédéric Prevost, François-Xavier Picard and Orange CERT-CC at Orange group for discovering and reporting this vulnerability under responsible disclosure.

Timeline

2023-10-10: Initial publication