[FortiSandbox] fsuis token does not expire after logout Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-070 Final 1 1 2021-09-07T00:00:00 Current version 2021-09-07T00:00:00 2021-09-07T00:00:00 An insufficient session expiration vulnerability [CWE-613] in FortiSandbox may allow an attacker to reuse the unexpired admin user session IDs to gain information about other users configured on the device, should the attacker be able to obtain that session ID (via other, hypothetical attacks) None Information disclosure FortiSandbox versions 3.2.1 and below. Please upgrade to FortiSandbox version 3.2.2 or above.Please upgrade to FortiSandbox version 4.0.0.Workaround:1. Disable HTTP and enable HTTPS to prevent intercepting the token over the network.2. Clear the browser cache/cookies after logging out to prevent the token from being available on the local PC. Fortinet is pleased to thank Danilo Costa for reporting this vulnerability under responsible disclosure CVE-2020-29012 5.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-20-070 [FortiSandbox] fsuis token does not expire after logout Reference>