FortiPortal - Insufficient Access Control over API endpoints

Summary

An Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting FortiPortal may allow a remote authenticated user with at least read-only permissions to access to other organization endpoints via crafted GET requests.

Version Affected Solution
FortiPortal 7.2 7.2.0 through 7.2.1 Upgrade to 7.2.2 or above
FortiPortal 7.0 7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
FortiPortal 6.0 6.0 all versions Migrate to a fixed release
FortiPortal 5.3 5.3 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank Saravanan Ramanathan from Vodafone for reporting this vulnerability under responsible disclosure.

Timeline

2023-12-19: Initial publication