CVE-2021-44166

Published: Mar 2, 2022Modified: Nov 21, 2024

4.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Exploitability: 2.3 / Impact: 1.4

Source: NVD

Description

An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.

Affected (11)

Products: Fortinet: Fortitoken Mobile

Fortinet

1 product

Fortitoken Mobile

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortitoken Mobile	Version 4.0.0
Fortinet Fortitoken Mobile	Version 4.0.1
Fortinet Fortitoken Mobile	Version 4.1.1
Fortinet Fortitoken Mobile	Version 4.2.1
Fortinet Fortitoken Mobile	Version 4.2.2
Fortinet Fortitoken Mobile	Version 4.3.0
Fortinet Fortitoken Mobile	Version 4.4.0
Fortinet Fortitoken Mobile	Version 4.5.0
Fortinet Fortitoken Mobile	Version 5.0.2
Fortinet Fortitoken Mobile	Version 5.0.3
Fortinet Fortitoken Mobile	Version 5.1.0

References (2)

https://fortiguard.com/psirt/FG-IR-21-210

Source: psirt@fortinet.com

PatchVendor Advisory

https://fortiguard.com/psirt/FG-IR-21-210

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.