Insufficient Session Expiration Vulnerability Affects FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager

CVE-2022-45862

8.8HIGH

Key Information

Vendor: Fortinet
Status: Fortipam; Fortiproxy; FortiOS; Fortiswitchmanager
Vendor: CVE Published:; 13 August 2024

Summary

An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.

Affected Version(s)

FortiPAM = 1.3.0

FortiPAM = 1.2.0

FortiPAM <= 1.1.2

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Aug 13, 2024
Vulnerability Reserved.
Nov 23, 2022

Collectors

NVD DatabaseMitre Database