FortiPortal - Insecure password generation
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-099
Final
1
1
2022-03-01T00:00:00
Current version
2022-03-01T00:00:00
2022-03-01T00:00:00
The use of a cryptographically weak pseudo-random number generator (CWE-338) in the password reset feature of FortiPortal may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame.
None
Improper access control
FortiPortal version 6.0.5 and below.FortiPortal version 5.3.6 and below.FortiPortal version 5.2.6 and below.FortiPortal version 5.1.2 and below.FortiPortal version 5.0.3 and below.FortiPortal version 4.2.4 and below.FortiPortal version 4.1.2 and below.FortiPortal version 4.0.4 and below.
Upgrade to FortiPortal version 6.0.6 or above.Upgrade to FortiPortal version 5.3.7 or above.Upgrade to FortiPortal version 5.2.7 or above.
Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.
FortiPortal 6.0.5
FortiPortal 6.0.4
FortiPortal 6.0.3
FortiPortal 6.0.2
FortiPortal 6.0.1
FortiPortal 6.0.0
FortiPortal 5.3.6
FortiPortal 5.3.5
FortiPortal 5.3.4
FortiPortal 5.3.3
FortiPortal 5.3.2
FortiPortal 5.3.1
FortiPortal 5.3.0
FortiPortal 5.2.6
FortiPortal 5.2.5
FortiPortal 5.2.4
FortiPortal 5.2.3
FortiPortal 5.2.2
FortiPortal 5.2.1
FortiPortal 5.2.0
FortiPortal 5.1.2
FortiPortal 5.1.1
FortiPortal 5.1.0
FortiPortal 5.0.3
FortiPortal 5.0.2
FortiPortal 5.0.1
FortiPortal 5.0.0
FortiPortal 4.2.2
FortiPortal 4.2.1
FortiPortal 4.1.2
FortiPortal 4.1.1
FortiPortal 4.1.0
FortiPortal 4.0.4
FortiPortal 4.0.3
FortiPortal 4.0.2
FortiPortal 4.0.1
FortiPortal 4.0.0
FortiPortal - Insecure password generation
CVE-2021-36171
FortiPortal-6.0.5
FortiPortal-6.0.4
FortiPortal-6.0.3
FortiPortal-6.0.2
FortiPortal-6.0.1
FortiPortal-6.0.0
FortiPortal-5.3.6
FortiPortal-5.3.5
FortiPortal-5.3.4
FortiPortal-5.3.3
FortiPortal-5.3.2
FortiPortal-5.3.1
FortiPortal-5.3.0
FortiPortal-5.2.6
FortiPortal-5.2.5
FortiPortal-5.2.4
FortiPortal-5.2.3
FortiPortal-5.2.2
FortiPortal-5.2.1
FortiPortal-5.2.0
FortiPortal-5.1.2
FortiPortal-5.1.1
FortiPortal-5.1.0
FortiPortal-5.0.3
FortiPortal-5.0.2
FortiPortal-5.0.1
FortiPortal-5.0.0
FortiPortal-4.2.2
FortiPortal-4.2.1
FortiPortal-4.1.2
FortiPortal-4.1.1
FortiPortal-4.1.0
FortiPortal-4.0.4
FortiPortal-4.0.3
FortiPortal-4.0.2
FortiPortal-4.0.1
FortiPortal-4.0.0
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-099
FortiPortal - Insecure password generation
Reference>