Insufficient Session Expiration Vulnerability in FortiNet's FortiIsolator
CVE-2020-6649

9.8CRITICAL

Key Information:

Vendor: Fortinet
Status: Fortinet Fortiisolator
Vendor: CVE Published:; 8 February 2021

Summary

An insufficient session expiration flaw in FortiNet's FortiIsolator can lead to serious security lapses. Attackers may exploit this vulnerability by retrieving unexpired admin user session IDs, potentially allowing them to gain unauthorized admin privileges. This situation underscores the need for developers to ensure that session IDs are invalidated appropriately after a user session ends, safeguarding against possible unauthorized access.

Affected Version(s)

Fortinet FortiIsolator FortiIsolator 2.0.1

References

https://fortiguard.com/advisory/FG-IR-20-011

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 8, 2021
Vulnerability Reserved
Jan 9, 2020