FortiWeb - Weak generation of WAF session IDs leads to session fixation Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-214 Final 1 1 2023-02-16T00:00:00 Current version 2023-02-16T00:00:00 2023-02-16T00:00:00 A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. None Improper access control FortiWeb 5.6 all versionsFortiWeb 5.7 all versionsFortiWeb 5.8 all versionsFortiWeb versions 5.9.1 and below,FortiWeb versions 6.0.7 and below,FortiWeb versions 6.1.2 and below,FortiWeb versions 6.2.6 and below,FortiWeb versions 6.3.16 and below,FortiWeb 6.4 all versions Please upgrade to FortiWeb version 7.0.0 or abovePlease upgrade to FortiWeb version 6.3.17 or abovePlease upgrade to FortiWeb version 6.2.7 or abovePlease upgrade to FortiWeb version 6.1.3 or abovePlease upgrade to FortiWeb version 6.0.8 or abovePlease upgrade to FortiWeb version 5.9.2 or above Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team. CVE-2021-42761 8.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-214 FortiWeb - Weak generation of WAF session IDs leads to session fixation Reference>