CVE-2021-24019

CWE-613Insufficient Session Expiration4 documents4 sources
Severity
9.8CRITICAL
EPSS
15.2%
top 5.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet Forticlient Endpoint Management ServerFortinet Fortinet Forticlientems
Timeline
PublishedOct 6
Latest updateMay 24

Description

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5fortinet/fortinet_forticlientemsFortiClientEMS 6.4.2, 6.4.1, 6.4.0, 6.2.8, 6.2.7, 6.2.6, 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0

🔴Vulnerability Details

2
GHSA
GHSA-qw2f-33vp-25mq: An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 62022-05-24
CVEList
CVE-2021-24019: An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 62021-10-06

📋Vendor Advisories

1
Fortinet
An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below...2021-10-06
CVE-2021-24019 (CRITICAL CVSS 9.8) | An insufficient session expiration | cvebase.io