CVE-2020-6644Insufficient Session Expiration in Fortinet Fortideceptor

CWE-613Insufficient Session Expiration4 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.4%
top 38.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortideceptorFortinet Fortideceptor
Timeline
PublishedJun 22
Latest updateMay 24

Description

An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5fortinet/fortinet_fortideceptor3.0.0 and below, Fixed in 3.0.1+1

🔴Vulnerability Details

2
GHSA
GHSA-g45q-mxhw-4vfh: An insufficient session expiration vulnerability in FortiDeceptor 32022-05-24
CVEList
CVE-2020-6644: An insufficient session expiration vulnerability in FortiDeceptor 32020-06-22

📋Vendor Advisories

1
Fortinet
An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpi...2020-06-22
CVE-2020-6644 — Insufficient Session Expiration | cvebase