PT-2021-12499 · Fortinet · Fortiisolator

Published

2021-02-08

Updated

2021-02-10

CVE-2020-6649

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: FortiIsolator versions 2.0.1 and below

Description: The issue is related to an insufficient session expiration in FortiIsolator, which may allow an attacker to reuse unexpired admin user session IDs to gain admin privileges if the attacker can obtain the session ID through other means.

Recommendations: For FortiIsolator versions 2.0.1 and below, consider implementing additional session management controls, such as manually expiring or revoking admin sessions after a certain period of inactivity, until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2020-6649

Affected Products

Fortiisolator

PT-2021-12499 · Fortinet · Fortiisolator

CVE-2020-6649

Weakness Enumeration

Related Identifiers

Affected Products

References · 4