Inadequate user validation and no brute force protection on change password requests Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-24-048 Final 1 1 2024-09-10T00:00:00 Current version 2024-09-10T00:00:00 2024-09-11T00:00:00 An improper authorization vulnerability [CWE-285] in FortiSOAR change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests. None Improper access control Fortinet is pleased to thank James Cato from New Zealand Police for reporting this vulnerability under responsible disclosure. FortiSOAR on-premise 7.4.3 FortiSOAR on-premise 7.4.2 FortiSOAR on-premise 7.4.1 FortiSOAR on-premise 7.4.0 FortiSOAR on-premise 7.3.2 FortiSOAR on-premise 7.3.1 FortiSOAR on-premise 7.3.0 FortiSOAR on-premise 7.2.2 FortiSOAR on-premise 7.2.1 FortiSOAR on-premise 7.2.0 FortiSOAR on-premise 7.0.3 FortiSOAR on-premise 7.0.2 FortiSOAR on-premise 7.0.1 FortiSOAR on-premise 7.0.0 CVE-2024-45327 FortiSOAR on-premise-7.4.3 FortiSOAR on-premise-7.4.2 FortiSOAR on-premise-7.4.1 FortiSOAR on-premise-7.4.0 FortiSOAR on-premise-7.3.2 FortiSOAR on-premise-7.3.1 FortiSOAR on-premise-7.3.0 FortiSOAR on-premise-7.2.2 FortiSOAR on-premise-7.2.1 FortiSOAR on-premise-7.2.0 FortiSOAR on-premise-7.0.3 FortiSOAR on-premise-7.0.2 FortiSOAR on-premise-7.0.1 FortiSOAR on-premise-7.0.0 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-24-048 Inadequate user validation and no brute force protection on change password requests Reference>