Fortiguard

FortiWeb - Weak generation of WAF session IDs leads to session fixation

Summary

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

Affected Products

FortiWeb 5.6 all versions
FortiWeb 5.7 all versions
FortiWeb 5.8 all versions
FortiWeb versions 5.9.1 and below,
FortiWeb versions 6.0.7 and below,
FortiWeb versions 6.1.2 and below,
FortiWeb versions 6.2.6 and below,
FortiWeb versions 6.3.16 and below,
FortiWeb 6.4 all versions

Solutions

Please upgrade to FortiWeb version 7.0.0 or above
Please upgrade to FortiWeb version 6.3.17 or above
Please upgrade to FortiWeb version 6.2.7 or above
Please upgrade to FortiWeb version 6.1.3 or above
Please upgrade to FortiWeb version 6.0.8 or above
Please upgrade to FortiWeb version 5.9.2 or above

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

IR Number	FG-IR-21-214
Date	Feb 16, 2023
Severity	High
CVSSv3 Score	8.5
Impact	Improper access control
CVE ID	CVE-2021-42761
CVRF	Download

Network

Files and Endpoint

Application

Additional SOC Services

PSIRT Advisories

FortiWeb - Weak generation of WAF session IDs leads to session fixation

Summary

Affected Products

Solutions

Acknowledgement

News / Research

Network

Files and Endpoint

Application

Additional SOC Services

FortiGate

FortiDeceptor

FortiClient

FortiMail

FortiEDR

FortiADC

FortiAnalyzer

FortiCWP

FortiWeb

FortiNDR

FortiSandBox

FortiTester

Threat Lookup

PSIRT

Resources

PSIRT Advisories

FortiWeb - Weak generation of WAF session IDs leads to session fixation

Summary

Affected Products

Solutions

Acknowledgement