Improper authorization for HA requests
Summary
An improper privilege management vulnerability [CWE-269] in a FortiOS & FortiProxy HA cluster may allow an authenticated attacker to perform elevated actions over the web administrative interface via crafted HTTP or HTTPS requests.
Version | Affected | Solution |
---|---|---|
FortiOS 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
FortiOS 7.2 | 7.2.5 | Upgrade to 7.2.6 or above |
FortiProxy 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
Virtual Patch named "FortiOS.HA.RestAPI.Privilege.Elevation." is available in FMWP db update 23.104
edited on: 2023-10-23 12:21
Acknowledgement
Discovered by Justin Lum of Fortinet Web Development TeamTimeline
2024-01-02: Initial publication
2024-08-14: Added acknowledgment