CVE-2021-24019

Published: Oct 6, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Affected (2)

Products: Fortinet: Forticlient Endpoint Management Server

1 product

Forticlient Endpoint Management Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fortinet Forticlient Endpoint Management Server	Before 6.2.9
Fortinet Forticlient Endpoint Management Server	From 6.4.0 to 6.4.2

Related CWEs

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

https://fortiguard.com/advisory/FG-IR-20-072

Source: psirt@fortinet.com

Vendor Advisory

https://fortiguard.com/advisory/FG-IR-20-072

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.