An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can edit the avatar picture of other users (including with higher privileges) with arbitrary content.
Modern browsers would however not interpret code in the context of an image, therefore XSS attacks are only feasible if the target is using a legacy browser (I.E. 6 or below).
Affected ProductsFortiAnalyzer 6.0.0 and below versions.
FortiManager 6.0.0 and below versions.
SolutionsFortiAnalyzer: upgrade to 6.0.1 or higher versions FortiManager: upgrade to 6.0.1 or higher versions
Fortinet is pleased to thank independent researcher Donato Onofri reporting this vulnerability under responsible disclosure.