PSIRT

FortiWeb - Weak generation of WAF session IDs leads to session fixation

Summary

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

Affected Products

FortiWeb 5.6 all versions
FortiWeb 5.7 all versions
FortiWeb 5.8 all versions
FortiWeb versions 5.9.1 and below,
FortiWeb versions 6.0.7 and below,
FortiWeb versions 6.1.2 and below,
FortiWeb versions 6.2.6 and below,
FortiWeb versions 6.3.16 and below,
FortiWeb 6.4 all versions

Solutions

Please upgrade to FortiWeb version 7.0.0 or above
Please upgrade to FortiWeb version 6.3.17 or above
Please upgrade to FortiWeb version 6.2.7 or above
Please upgrade to FortiWeb version 6.1.3 or above
Please upgrade to FortiWeb version 6.0.8 or above
Please upgrade to FortiWeb version 5.9.2 or above

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

IR Number	FG-IR-21-214
Date	Feb 16, 2023
Severity	High
CVSSv3 Score	8.5
Impact	Improper access control
CVE ID	CVE-2021-42761
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

FortiWeb - Weak generation of WAF session IDs leads to session fixation

Summary

Affected Products

Solutions

Acknowledgement

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

FortiWeb - Weak generation of WAF session IDs leads to session fixation

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center