====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN134
_____________________________________________________________________

DATE                : 12/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running FortiPresence versions prior to
                                          20.1.

=====================================================================
https://fortiguard.com/psirt/FG-IR-19-258
_____________________________________________________________________

Authorizations Bypass in the FortiPresence portal parameters

IR Number : FG-IR-19-258
Date      : Mar 09, 2020
Risk      : 3/5
Impact    : Improper Access Control
CVE ID    : CVE-2020-6641, CVE-2020-6642


Summary

Two authorization bypass through user-controlled key vulnerabilities in
the FortiPresence administration interface may allow an attacker to gain
access to some user data via portal manager or portal users parameters.


Impact

Improper Access Control


Affected Products

FortiPresence 2.1.0 and below


Solutions

Please upgrade to FortiPresence 20.1 or above.
Starting in 2020, FortiPresence will employ a new version syntax.


Acknowledgement

Fortinet is pleased to thank SI9INT for reporting this vulnerability
under responsible disclosure.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================