Existing websocket connection persists after deleting API admin
Summary
An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to keep a secure websocket session active after user deletion.
Workaround:
Restrict hosts that can connect to the websocket to trusted ones only, with the trusted host feature.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | Not affected | Not Applicable |
| FortiOS 7.4 | Not affected | Not Applicable |
| FortiOS 7.2 | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiOS 6.4 | Not affected | Not Applicable |