CVE-2017-7337

Name of the Vulnerable Software and Affected Versions Fortinet FortiPortal versions 4.0.0 and below

Description The issue is related to improper Access Control, allowing an attacker to interact with unauthorized VDOMs or enumerate other ADOMs. This can be achieved via another user's stolen session and CSRF tokens or by exploiting the adomName parameter in the "/fpc/sec/customer/policy/getAdomVersion" API endpoint.

Recommendations For Fortinet FortiPortal versions 4.0.0 and below, consider restricting access to the "/fpc/sec/customer/policy/getAdomVersion" API endpoint and ensure proper session and CSRF token management to prevent unauthorized interactions. Additionally, limit the use of the adomName parameter to minimize the risk of ADOM enumeration.