An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victims user account to reset the account credentials without being prompted for the accounts password
Weakness
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortisoar | Fortinet | 7.3.0 (including) | 7.5.2 (excluding) |
| Fortisoar | Fortinet | 7.6.0 (including) | 7.6.3 (including) |