Improper authorization via prof-admin profile

Summary

An improper authorization vulnerability [CWE-285] in FortiOS's WEB UI component may allow an authenticated attacker belonging to the prof-admin profile to perform elevated actions.

Version Affected Solution
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiOS 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Internally discovered and reported by Fortinet QA team.

Timeline

2023-10-10: Initial publication