An improper authentication vulnerability [CWE-287] in FortiManager may allow a standard user to assign or un-assign a global policy package via a POST request to flatui/json module.
FortiManager 6.4.3 and below.
FortiManager 6.2.6 and below.
Upgrade to FortiManager 7.0.0 or above.
Upgrade to FortiManager 6.4.4 or above.
Upgrade to FortiManager 6.2.7 or above.