CVE-2013-4669

FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258 on Linux proceed with an SSL session after determining that the server's X.509 certificate is invalid, which allows man-in-the-middle attackers to obtain sensitive information by leveraging a password transmission that occurs before the user warning about the certificate problem.

Published: Jun 25, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-4669
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.4
AV:N/AC:H/Au:N/C:C/I:N/A:N

CWEs:

CWE-255
CWE-310

Affected Software
References

Software	From	Fixed in
fortinet / forticlient	-	4.3.3.445.x
fortinet / forticlient_lite	-	4.3.3.445.x
fortinet / forticlient_ssl_vpn	-	4.0.2012.x
fortinet / forticlient	-	4.0.2.x
fortinet / forticlient_lite	-	2.0.x

http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0001.html
http://objectif-securite.ch/forticlient_bulletin.php
http://www.fortiguard.com/advisory/Potential-Man-In-The-Middle-Vulnerability-in-FortiClient-VPN/
http://www.securityfocus.com/bid/59604

Vulnerability Database

289,599

CVE-2013-4669