CVE-2022-26121

Name of the Vulnerable Software and Affected Versions FortiAnalyzer and FortiManager GUI versions 5.6.0 through 5.6.11 FortiAnalyzer and FortiManager GUI versions 6.0.0 through 6.0.11 FortiAnalyzer and FortiManager GUI versions 6.2.0 through 6.2.9 FortiAnalyzer and FortiManager GUI versions 6.4.0 through 6.4.8 FortiAnalyzer and FortiManager GUI versions 7.0.0 through 7.0.3

Description The issue is related to an exposure of resource to wrong sphere, which may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path. This could potentially lead to information disclosure. The vulnerability is associated with the graphical user interface of FortiManager and FortiAnalyzer, which are tools for centralized management of devices.

Recommendations For FortiAnalyzer and FortiManager GUI versions 5.6.0 through 5.6.11, update to a version that contains a fix for this issue. For FortiAnalyzer and FortiManager GUI versions 6.0.0 through 6.0.11, update to a version that contains a fix for this issue. For FortiAnalyzer and FortiManager GUI versions 6.2.0 through 6.2.9, update to a version that contains a fix for this issue. For FortiAnalyzer and FortiManager GUI versions 6.4.0 through 6.4.8, update to a version that contains a fix for this issue. For FortiAnalyzer and FortiManager GUI versions 7.0.0 through 7.0.3, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to report template images via the URL path until a patch is available.