[FortiProxy] Insecure Storage of local SSL VPN session info Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-224 Final 1 1 2021-03-02T00:00:00 Current version 2021-03-02T00:00:00 2021-03-02T00:00:00 A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiProxy SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's credentials, should that attacker be able to read the session file stored on the targeted device's system. To successfully exploit this weakness, another unrelated weakness (eg: a system file leaking vulnerability) would need to be exploited first. Information disclosure FortiProxy version 2.0.0FortiProxy versions 1.2.9 and below.FortiProxy versions 1.1.6 and below.FortiProxy versions 1.0.7 and below. Please upgrade to FortiProxy versions 2.0.1 or above.Please upgrade to FortiProxy versions 1.2.10 or above. CVE-2019-17655 4.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-20-224 [FortiProxy] Insecure Storage of local SSL VPN session info Reference>