An authentication bypass using an alternate path or channel vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.3, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2.2 through 7.2.11, FortiManager 7.6.0 through 7.6.3, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2.2 through 7.2.11, FortiManager Cloud 7.6.0 through 7.6.3, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2.2 through 7.2.10 may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests.
Weakness
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortianalyzer | Fortinet | 7.2.2 (including) | 7.4.8 (excluding) |
| Fortianalyzer | Fortinet | 7.6.0 (including) | 7.6.4 (excluding) |
| Fortimanager | Fortinet | 7.2.2 (including) | 7.4.8 (excluding) |
| Fortimanager | Fortinet | 7.6.0 (including) | 7.6.4 (excluding) |
| Fortimanager_cloud | Fortinet | 7.2.2 (including) | 7.4.8 (excluding) |
| Fortimanager_cloud | Fortinet | 7.6.0 (including) | 7.6.4 (excluding) |