PSIRTPriviledged admin able to modify super-admins password
Summary
An unverified password change vulnerability [CWE-620] in FortiManager or FortiAnalyzer may allow a read-write user to modify admin passwords via the device configuration backup.
| Version | Affected | Solution |
|---|---|---|
| FortiAnalyzer 7.6 | Not affected | Not Applicable |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
| FortiAnalyzer 6.4 | Not affected | Not Applicable |
| FortiManager 7.6 | Not affected | Not Applicable |
| FortiManager 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
| FortiManager 6.4 | Not affected | Not Applicable |