Bypass of client-side password change policy enforcement Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-255 Final 1 1 2022-03-01T00:00:00 Current version 2022-03-01T00:00:00 2022-03-01T00:00:00 An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user. None Execute unauthorized code or commands FortiManager version 5.6.0 through 5.6.11FortiManager version 6.0.0 through 6.0.11FortiManager version 6.2.0 through 6.2.9FortiManager version 6.4.0 through 6.4.7FortiManager version 7.0.0 through 7.0.2FortiAnalyzer version 5.6.0 through 5.6.11FortiAnalyzer version 6.0.0 through 6.0.11FortiAnalyzer version 6.2.0 through 6.2.9FortiAnalyzer version 6.4.0 through 6.4.7FortiAnalyzer version 7.0.0 through 7.0.2 Upgrade to FortiAnalyzer version 7.0.3 or aboveUpgrade to FortiAnalyzer version 6.4.8 or aboveUpgrade to FortiManager version 7.0.3 or aboveUpgrade to FortiManager version 6.4.8 or above Fortinet is pleased to thank Alaa A. Bukhari for reporting this vulnerability under responsible disclosure CVE-2022-22300 3.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-255 Bypass of client-side password change policy enforcement Reference>