Guessable static JSON web token secret
Summary
PRODUCT OUT OF SUPPORT
An improper authentication vulnerability [CWE-287] in FortWAN may allow an authenticated attacker to escalate his privileges via HTTP or HTTPs requests with crafted JWT token values.
Affected Products
FortiWAN version 5.2.0 through 5.2.1
FortiWAN version 5.1.1 through 5.1.2
Solutions
This product is end of life and no longer supported. Please consider replacing with an equivalent FortiGate appliance as approriate.
Acknowledgement
Fortinet is pleased to thanks Idan Cohen from Cyberillium for bringing this issue to our attention under responsible disclosure.Timeline
2023-11-13: Initial publication