CVE-2021-42761

Published: Feb 16, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

Affected (6)

Products: Fortinet: Fortiweb

Fortinet

1 product

Fortiweb

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortiweb	From 5.6.0 to 5.9.2
Fortinet Fortiweb	From 6.0.0 to 6.0.8
Fortinet Fortiweb	From 6.1.0 to 6.1.3
Fortinet Fortiweb	From 6.2.0 to 6.2.7
Fortinet Fortiweb	From 6.3.0 to 6.3.17
Fortinet Fortiweb	From 6.4.0 to 7.0.0

Related CWEs

CWE-384

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (2)

https://fortiguard.com/psirt/FG-IR-21-214

Source: psirt@fortinet.com

Vendor Advisory

https://fortiguard.com/psirt/FG-IR-21-214

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.