An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session has expired or was logged out.
Una vulnerabilidad de expiración de sesión insuficiente [CWE-613] en FortiOS SSL-VPN versión 7.6.0, versión 7.4.6 y anteriores, versión 7.2.10 y anteriores, 7.0 todas las versiones, 6.4 todas las versiones puede permitir que un atacante en posesión de una cookie utilizada para iniciar sesión en el portal SSL-VPN inicie sesión nuevamente, aunque la sesión haya expirado o se haya cerrado la sesión.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | LOW |
| Integrity Impact | LOW |
| Availability Impact | NONE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-613
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| fortinet | fortisase | 24.4.60 | <built-in method update of dict object at 0x7d1e5febb3c0> | Application |
| fortinet | fortios | * | <built-in method update of dict object at 0x7d1e5fe3f5c0> | Operating System |
| fortinet | fortios | * | <built-in method update of dict object at 0x7d1e5fe3c8c0> | Operating System |
| fortinet | fortios | 7.6.0 | <built-in method update of dict object at 0x7d1e643c34c0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:fortinet:fortisase:24.4.60:*:*:*:-:*:*:* |
| Yes | cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:fortinet:fortios:7.6.0:*:*:*:*:*:*:* |