FortiPortal - Account creation outside initial IdP

Summary

An improper privilege management vulnerability [CWE-269] in FortiPortal may allow a remote and authenticated attacker to add users outside its initial Idp

Affected Products

FortiPortal version 7.2.0 through 7.2.1
FortiPortal version 7.0.0 through 7.0.6

Solutions

Please upgrade to FortiPortal version 7.2.2
Please upgrade to FortiPortal version 7.0.7

Acknowledgement

Internally discovered and reported by Gary Chung of Fortinet Burnaby FortiPortal team.

Timeline

2023-12-19: Initial publication