An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to keep a secure websocket session active after user deletion.
Restrict hosts that can connect to the websocket to trusted ones only, with the trusted host feature.
|FortiOS 7.4||Not affected||Upgrade to 7.4.0 or above|
|FortiOS 7.2||7.2.0 through 7.2.4||Upgrade to 7.2.5 or above|
|FortiOS 7.0||7.0.0 through 7.0.12||Upgrade to 7.0.13 or above|
AcknowledgementInternally discovered and reported by Yi Liu of Fortinet Test team.
2023-07-01: Initial publication