Insecure password generation Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-099 Final 1 1 2022-03-01T00:00:00 Current version 2022-03-01T00:00:00 2022-03-01T00:00:00 The use of a cryptographically weak pseudo-random number generator (CWE-338) in the password reset feature of FortiPortal may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame. None Improper access control FortiPortal version 6.0.5 and below.FortiPortal version 5.3.6 and below.FortiPortal version 5.2.6 and below.FortiPortal version 5.1.2 and below.FortiPortal version 5.0.3 and below.FortiPortal version 4.2.4 and below.FortiPortal version 4.1.2 and below.FortiPortal version 4.0.4 and below. Upgrade to FortiPortal version 6.0.6 or above.Upgrade to FortiPortal version 5.3.7 or above.Upgrade to FortiPortal version 5.2.7 or above. Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. CVE-2021-36171 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-099 Insecure password generation Reference>