Insufficient Session Expiration in FortiSandbox by Fortinet
CVE-2020-29012

5.6MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinet Fortisandbox
Vendor: CVE Published:; 8 September 2021

Summary

FortiSandbox versions 3.2.1 and earlier have an insufficient session expiration vulnerability. This flaw enables attackers to exploit unexpired administrative user session IDs, potentially allowing unauthorized access to information about other users configured on the device. If attackers can obtain a valid session ID through hypothetical methods, they may compromise other user sessions, posing a significant security risk.

Affected Version(s)

Fortinet FortiSandbox FortiSandbox 3.2.1,

References

https://fortiguard.com/advisory/FG-IR-20-070

x_refsource_CONFIRM

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 8, 2021
Vulnerability Reserved
Nov 24, 2020