FortiManager Missing Function Level Control on WebUI Change Picture Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-014 Final 1 1 2018-06-22T00:00:00 Current version 2018-06-22T00:00:00 2018-06-22T00:00:00 An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can can edit the avatar picture of other users (including with higher privileges) with arbitrary content.Modern browsers would however not interpret code in the context of an image, therefore XSS attacks are only feasible if the target is using a legacy browser (I.E. 6 or below). Improper access control FortiAnalyzer 6.0.0 and below versions.FortiManager 6.0.0 and below versions. FortiAnalyzer: upgrade to 6.0.1 or higher versionsFortiManager: upgrade to 6.0.1 or higher versions Fortinet is pleased to thank independent researcher Donato Onofri reporting this vulnerability under responsible disclosure. CVE-2018-1354 0 https://fortiguard.fortinet.com/psirt/FG-IR-18-014 FortiManager Missing Function Level Control on WebUI Change Picture Reference>