CVE-2019-17654: 
Fortinet FortiManager vulnerability analysis and mitigation

An Insufficient Verification of Data Authenticity vulnerability (CVE-2019-17654) affects FortiManager versions 6.2.1, 6.2.0, 6.0.6 and below. This vulnerability was disclosed on March 15, 2020, and allows an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack (NVD, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), but does need user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is all rated as high (C:H/I:H/A:H) (NVD).

The vulnerability can potentially lead to high impacts on confidentiality, integrity, and availability of the affected systems. As a Cross-Site WebSocket Hijacking vulnerability, it could allow attackers to intercept and manipulate WebSocket communications between the client and server (NVD).

Organizations should upgrade affected FortiManager installations to versions newer than those affected (6.2.1, 6.2.0, 6.0.6 and below). Fortinet has released patches to address this vulnerability (Fortiguard Advisory).