FortiAnalyzer & FortiManager - improper authorization to template image


An exposure of resource to wrong sphere vulnerability [CWE-668] in FortiAnalyzer and FortiManager GUI may allow an unauthenticated
and remote attacker to access report template images via referencing the name in the URL path.

Affected Products

FortiManager version 7.0.0 through 7.0.3
FortiManager 6.4 all versions
FortiManager 6.2 all versions
FortiManager 6.0 all versions
FortiManager 5.6 all versions

FortiAnalyzer version 7.0.0 through 7.0.3
FortiAnalyzer 6.4 all versions
FortiAnalyzer 6.2 all versions
FortiAnalyzer 6.0 all versions
FortiAnalyzer 5.6 all versions


Please upgrade to FortiAnalyzer version 7.0.4 or above
Please upgrade to FortiAnalyzer version 7.2.0 or above
Please upgrade to FortiManager version 7.0.4 or above.
Please upgrade to FortiManager version 7.2.0 or above.


Fortinet is pleased to thank Alaa A. Bukhari for reporting this vulnerability under responsible disclosure