CVE-2021-42761
published 2023-02-16CVE-2021-42761: A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.47%
70.4th percentile
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 5.6.0 < 5.9.2 | 5.9.2 |
| fortinet | fortiweb | 5.6.0 – 5.6.2 | — |
| fortinet | fortiweb | 5.7.0 – 5.7.3 | — |
| fortinet | fortiweb | 5.8.0 – 5.8.3 | — |
| fortinet | fortiweb | 5.8.5 – 5.8.7 | — |
| fortinet | fortiweb | 5.9.0 – 5.9.1 | — |
| fortinet | fortiweb | >= 6.0.0 < 6.0.8 | 6.0.8 |
| fortinet | fortiweb | 6.0.0 – 6.0.7 | — |
| fortinet | fortiweb | >= 6.1.0 < 6.1.3 | 6.1.3 |
| fortinet | fortiweb | 6.1.0 – 6.1.2 | — |
| fortinet | fortiweb | >= 6.2.0 < 6.2.7 | 6.2.7 |
| fortinet | fortiweb | 6.2.0 – 6.2.6 | — |
| fortinet | fortiweb | >= 6.3.0 < 6.3.17 | 6.3.17 |
| fortinet | fortiweb | 6.3.0 – 6.3.16 | — |
| fortinet | fortiweb | >= 6.4.0 < 7.0.0 | 7.0.0 |
| fortinet | fortiweb | 6.4.0 – 6.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target product is FortiWeb; monitor for session fixation attempts against FortiWeb session management — an unauthenticated attacker may attempt to infer or reuse session identifiers of authenticated users ↗
- →CWE-384 (Session Fixation) — look for anomalous session token reuse or session ID patterns that appear predictable/sequential in FortiWeb access logs, particularly from unauthenticated source IPs ↗
- ·All FortiWeb 6.4.x versions are affected; also affected are 6.3.0–6.3.16, 6.2.0–6.2.6, 6.1.0–6.1.2, 6.0.0–6.0.7, and 5.9.0–5.9.1 — verify patched versions are deployed ↗
- ·CVSS score is 9.0 (Critical) and exploitation requires no authentication, making unpatched internet-facing FortiWeb instances high-priority targets ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Fortinet
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions...
vendor_fortinet·2023-02-16·CVSS 9.0
CVE-2021-42761 [CRITICAL] CWE-384 A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions...
FG-IR-21-214: A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions...
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
CVEs: CVE-2021-42761
CWEs: CWE-384
CVSS: 9.0 (critical)
Affected products: FortiWeb
GHSA
GHSA-hxmr-8629-frhp: A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6
ghsa_unreviewed·2023-02-16
CVE-2021-42761 [CRITICAL] CWE-384 GHSA-hxmr-8629-frhp: A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-16
Published