Deny request approved from External push notification Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-210 Final 1 1 2022-03-01T00:00:00 Current version 2022-03-01T00:00:00 2022-03-01T00:00:00 An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user. None Improper access control FortiTokenAndroid 5.2 all versions are not affectedFortiTokenAndroid 5.1 all versionsFortiTokenAndroid 5.0 all versionsFortiTokenAndroid 4.5 all versionsFortiTokenAndroid 4.4 all versionsFortiTokenAndroid 4.3 all versionsFortiTokenAndroid 4.2 all versionsFortiTokenAndroid 4.1 all versionsFortiTokenAndroid 4.0 all versionsFortiTokenAndroid 0.4 all versions are not affected Please upgrade to version 5.2.0 or above. Fortinet is pleased to thank Gerard Gerritsen from Gemeente Ede for reporting this vulnerability under responsible disclosure. FortiTokenAndroid 5.1.0 FortiTokenAndroid 5.0.3 FortiTokenAndroid 5.0.2 FortiTokenAndroid 4.5.0 FortiTokenAndroid 4.4.0 FortiTokenAndroid 4.3.0 FortiTokenAndroid 4.2.2 FortiTokenAndroid 4.2.1 FortiTokenAndroid 4.1.1 FortiTokenAndroid 4.0.1 FortiTokenAndroid 4.0.0 CVE-2021-44166 FortiTokenAndroid-5.1.0 FortiTokenAndroid-5.0.3 FortiTokenAndroid-5.0.2 FortiTokenAndroid-4.5.0 FortiTokenAndroid-4.4.0 FortiTokenAndroid-4.3.0 FortiTokenAndroid-4.2.2 FortiTokenAndroid-4.2.1 FortiTokenAndroid-4.1.1 FortiTokenAndroid-4.0.1 FortiTokenAndroid-4.0.0 3.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:F/RL:U/RC:R https://fortiguard.fortinet.com/psirt/FG-IR-21-210 Deny request approved from External push notification Reference>