CVE-2022-45862: An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all…

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.

Affected

19 ranges

Vendor	Product	Version range	Fixed in
fortinet	fortios	—	—
fortinet	fortios	>= 6.4.0 < 7.2.6	7.2.6
fortinet	fortios	6.4.0 – 6.4.11	—
fortinet	fortios	7.0.0 – 7.0.7	—
fortinet	fortios	7.2.0 – 7.2.5	—
fortinet	fortipam	—	—
fortinet	fortipam	—	—
fortinet	fortipam	—	—
fortinet	fortipam	>= 1.0.0 < 1.4.0	1.4.0
fortinet	fortipam	1.0.0 – 1.0.3	—
fortinet	fortipam	1.1.0 – 1.1.2	—
fortinet	fortiproxy	—	—
fortinet	fortiproxy	>= 7.0.0 < 7.4.0	7.4.0
fortinet	fortiproxy	7.0.0 – 7.0.18	—
fortinet	fortiproxy	7.2.0 – 7.2.11	—
fortinet	fortiswitchmanager	—	—
fortinet	fortiswitchmanager	>= 7.0.0 < 7.2.2	7.2.2
fortinet	fortiswitchmanager	7.0.0 – 7.0.2	—
fortinet	fortiswitchmanager	7.2.0 – 7.2.1	—