Readonly users able to modify LDAP test connectivity API fields Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-157 Final 1 1 2021-06-01T00:00:00 Current version 2021-06-01T00:00:00 2021-06-01T00:00:00 FortiGate's and FortiADC's read-only admins are able to point an LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate. Improper access control FortiOS 6.0.2 and beforeFortiADC 6.1.0 and beforeFortiADC 6.0.1 and beforeFortiADC 5.4.4 and before Upgrade to FortiOS 6.0.3 or upcoming 6.2.0Please upgrade to FortiADC 6.1.1 or above.Please upgrade to FortiADC 6.0.2 or above.Please upgrade to FortiADC 5.4.5 or above. Fortinet is pleased to thank Julio Engels Ureña Martinez for reporting this vulnerability under responsible disclosure. CVE-2018-13374 4.2 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-157 Readonly users able to modify LDAP test connectivity API fields Reference>