CVE-2021-42761

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

Published: Feb 16, 2023
Updated: Nov 8, 2023
CVE: CVE-2021-42761
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-384

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
fortinet / fortiweb	6.3.0	6.3.17
fortinet / fortiweb	6.2.0	6.2.7
fortinet / fortiweb	6.1.0	6.1.3
fortinet / fortiweb	6.4.0	7.0.0
fortinet / fortiweb	6.0.0	6.0.8
fortinet / fortiweb	5.6.0	5.9.2

https://fortiguard.com/psirt/FG-IR-21-214

Vulnerability Database

289,784

CVE-2021-42761