FG-IR-20-070: [FortiSandbox] fsuis token does not expire after logout
First published: Tue Sep 07 2021(Updated: )
An insufficient session expiration vulnerability [CWE-613] in FortiSandbox may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiSandbox Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of FG-IR-20-070?
The severity of FG-IR-20-070 is categorized as significant due to the potential for unauthorized access.
How do I fix FG-IR-20-070?
To fix FG-IR-20-070, ensure proper session management configurations are implemented to enforce session expiration.
Who is affected by FG-IR-20-070?
FortiSandbox users with configurations allowing admin user session IDs can be affected by FG-IR-20-070.
What kind of attack is possible with FG-IR-20-070?
FG-IR-20-070 allows attackers to reuse unexpired admin session IDs, potentially gaining unauthorized access to user information.
When was FG-IR-20-070 disclosed?
FG-IR-20-070 was disclosed in a security advisory by FortiGuard.
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2020-29012
- agent/last-modified-date
- agent/type
- collector/fortiguard-psirt
- agent/title
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/fortinet
- canonical/fortinet fortisandbox firmware