CVE-2021-42761

Name of the Vulnerable Software and Affected Versions FortiWeb versions 5.9.0 through 5.9.1 FortiWeb versions 6.0.0 through 6.0.7 FortiWeb versions 6.1.0 through 6.1.2 FortiWeb versions 6.2.0 through 6.2.6 FortiWeb versions 6.3.0 through 6.3.16 FortiWeb versions 6.4 all versions

Description A condition in the session management of FortiWeb may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. This issue is related to a lack of session fixation mechanism. The exploitation of this issue can enable a remote attacker to intercept sessions of other users.

Recommendations For FortiWeb versions 5.9.0 through 5.9.1, update to a version that includes a fix for this issue. For FortiWeb versions 6.0.0 through 6.0.7, update to a version that includes a fix for this issue. For FortiWeb versions 6.1.0 through 6.1.2, update to a version that includes a fix for this issue. For FortiWeb versions 6.2.0 through 6.2.6, update to a version that includes a fix for this issue. For FortiWeb versions 6.3.0 through 6.3.16, update to a version that includes a fix for this issue. For FortiWeb versions 6.4 all versions, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the session management mechanism to minimize the risk of exploitation.