Session API token does not expires after a renewal Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-23-007 Final 1 1 2023-10-10T00:00:00 Current version 2023-10-10T00:00:00 2023-10-10T00:00:00 An insufficient session expiration vulnerability [CWE-613] in FortiEDR Central Manager may allow an attacker to reuse the unexpired user API access token to gain privileges, should the attacker be able to obtain that API access token (via other, hypothetical attacks). None Execute unauthorized code or commands FortiEDR 5.2 all versions are not affectedFortiEDR 5.1 all versions are not affectedFortiEDR version 5.0.0 through 5.0.1 Please upgrade to FortiEDR version 5.2.0.2501 or abovePlease upgrade to FortiEDR version 5.0.3.873 or above Fortinet is pleased to thank security researcher Kevin Carli for discovering and reporting this vulnerability under responsible disclosure. FortiEDR 5.0.1 FortiEDR 5.0.0 CVE-2023-33303 FortiEDR-5.0.1 FortiEDR-5.0.0 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-23-007 Session API token does not expires after a renewal Reference>