<?xml version="1.0" encoding="UTF-8"?>
<cvrf:cvrfdoc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:cvrf-common="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/common" xmlns:cvrf="http://docs.oasis-open.org/csaf/ns/csaf-cvrf/v1.2/cvrf">
    <cvrf:DocumentTitle>[FortiIsolator] fsuis token does not expire after logout</cvrf:DocumentTitle>
    <cvrf:DocumentType>Fortinet PSIRT Advisories</cvrf:DocumentType>
    <cvrf:DocumentPublisher Type="Vendor">
        <cvrf:ContactDetails>
            Fortinet PSIRT Contact:
            Website: https://fortiguard.fortinet.com/faq/psirt-contact
        </cvrf:ContactDetails>
     </cvrf:DocumentPublisher>
    <cvrf:DocumentTracking>
        <cvrf:Identification>
            <cvrf:ID>FG-IR-20-011</cvrf:ID>
        </cvrf:Identification>
        <cvrf:Status>Final</cvrf:Status>
        <cvrf:Version>1</cvrf:Version>
        <cvrf:RevisionHistory>
            <cvrf:Revision>
                <cvrf:Number>1</cvrf:Number>
                <cvrf:Date>2021-01-21T00:00:00</cvrf:Date>
                <cvrf:Description>Current version</cvrf:Description>
        </cvrf:Revision>
       </cvrf:RevisionHistory>
        <cvrf:InitialReleaseDate>2021-01-21T00:00:00</cvrf:InitialReleaseDate>
        <cvrf:CurrentReleaseDate>2021-01-21T00:00:00</cvrf:CurrentReleaseDate>
    </cvrf:DocumentTracking>
    <cvrf:DocumentNotes>
        <cvrf:Note Title="Summary" Type="Summary" Ordinal="1">
            An insufficient session expiration vulnerability in FortiIsolator may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
        </cvrf:Note>
        <cvrf:Note Title="Impact" Type="General" Ordinal="2">
            Escalation of privilege
        </cvrf:Note>
        <cvrf:Note Title="Affected Products" Type="General" Ordinal="3">
            FortiIsolator version 2.0.1 and below.
        </cvrf:Note>
        <cvrf:Note Title="Solutions" Type="General" Ordinal="4">
            Please upgrade to version 2.1.0 or above.
        </cvrf:Note>
    </cvrf:DocumentNotes>
    <cvrf:Acknowledgments>
        <cvrf:Acknowledgment>
            <cvrf:Description>&#34;Fortinet is pleased to thank Danilo Costa from PBI for reporting this vulnerability under responsible disclosure.&#34;</cvrf:Description>
        </cvrf:Acknowledgment>
    </cvrf:Acknowledgments>
    <Vulnerability Ordinal="1">
        <Title>[FortiIsolator] fsuis token does not expire after logout</Title>
        <cvrf:CVE>CVE-2020-6649</cvrf:CVE>
        <CVSSScoreSets>
            <ScoreSetV3>
                <BaseScoreV3>4.7</BaseScoreV3>
                <VectorV3>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L/E:F/RL:X/RC:X</VectorV3>
            </ScoreSetV3>
        </CVSSScoreSets>
        <References Type="Self">
            <Reference>
                <URL>https://fortiguard.fortinet.com/psirt/FG-IR-20-011</URL>
                <Description>[FortiIsolator] fsuis token does not expire after logout</Description>
            </Reference>Reference>
        </References>
    </Vulnerability>
</cvrf:cvrfdoc>