CVE-2021-42761 | THREATINT

Description

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

PUBLISHED Reserved 2021-10-20 | Published 2023-02-16 | Updated 2024-10-23 | Assigner fortinet

HIGH: 8.5CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C

Problem types

Improper access control

Product status

Default status

unaffected

6.4.0 (semver)

affected

6.3.0 (semver)

affected

6.2.0 (semver)

affected

6.1.0 (semver)

affected

6.0.0 (semver)

affected

5.9.0 (semver)

affected

5.8.5 (semver)

affected

5.8.0 (semver)

affected

5.7.0 (semver)

affected

5.6.0 (semver)

affected

References

fortiguard.com/psirt/FG-IR-21-214

cve.org (CVE-2021-42761)

nvd.nist.gov (CVE-2021-42761)

Download JSON