Improper Access Control in Fortinet FortiManager and FortiAnalyzer
CVE-2018-1354

6.5MEDIUM

Key Information:

Vendor

Fortinet
Status
Fortinet Fortimanager, Fortianalyzer
Vendor
CVE Published:
27 June 2018

What is CVE-2018-1354?

An improper access control vulnerability exists in Fortinet FortiManager and FortiAnalyzer that permits a regular user to modify the avatar picture of other users using arbitrary content. This flaw resides in versions 6.0.0 and 5.6.5 and below. When exploited, unauthorized users can change the profile images of other accounts, potentially leading to identity spoofing or reputational damage. Users of these affected products should take immediate action to mitigate risks and apply security patches from Fortinet.

Affected Version(s)

Fortinet FortiManager, FortiAnalyzer FortiManager 6.0.0, 5.6.5 and below versions

Fortinet FortiManager, FortiAnalyzer FortiAnalyzer 6.0.0, 5.6.5 and below versions

References

http://www.securitytracker.com/id/1041183
vdb-entryx_refsource_SECTRACK
https://fortiguard.com/advisory/FG-IR-18-014
x_refsource_CONFIRM
http://www.securitytracker.com/id/1041182
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-1354 : Improper Access Control in Fortinet FortiManager and FortiAnalyzer