CVE-2020-6649

CWE-613Insufficient Session Expiration4 documents4 sources
Severity
9.8CRITICAL
EPSS
0.4%
top 38.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortiisolatorFortinet Fortinet Fortiisolator
Timeline
PublishedFeb 8
Latest updateMay 24

Description

An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5fortinet/fortinet_fortiisolatorFortiIsolator 2.0.1

🔴Vulnerability Details

2
GHSA
GHSA-qxf7-8j2m-38vq: An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 22022-05-24
CVEList
CVE-2020-6649: An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 22021-02-08

📋Vendor Advisories

1
Fortinet
An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attack...2021-02-08
CVE-2020-6649 (CRITICAL CVSS 9.8) | An insufficient session expiration | cvebase.io