FortiManager - Access Control missing in P&O module assignment vulnerability


An improper authentication vulnerability [CWE-287] in FortiManager may allow a standard user to assign or un-assign a global policy package via a POST request to flatui/json module.

Affected Products

FortiManager 6.4.3 and below.
FortiManager 6.2.6 and below.


Upgrade to FortiManager 7.0.0 or above.

Upgrade to FortiManager 6.4.4 or above.

Upgrade to FortiManager 6.2.7 or above.