FortiManager --- Password observed in cleartext in the config conflict file

Summary

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file.

Affected Products

FortiManager version 7.0.0 through 7.0.2
FortiManager version 6.4.0 through 6.4.7
FortiManager version 6.2.0 through 6.2.11

Solutions

Please upgrade to FortiManager verison 7.0.3 or above.


Please upgrade to FortiManager version 6.4.8 or above.

Acknowledgement

Fortinet is pleased to thank Aymen Idriss from Topnet for reporting this vulnerability under responsible disclosure.