PSIRT

Session cookie does not expire after logout

Summary

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Affected Products

FortiClientEMS version 6.2.8 and below.
FortiClientEMS version 6.4.2 and below.

Solutions

Please upgrade to FortiClientEMS version 6.2.9 or above.
Please upgrade to FortiClientEMS version 6.4.3 or above.
Please upgrade to FortiClientEMS version 7.0.0 or above.

Acknowledgement

Fortinet is pleased to thank Researcher Johnatan Camargo and Researcher Danilo Costa for reporting this vulnerability under responsible disclosure.

Timeline

2021-10-05: Initial publication

IR Number	FG-IR-20-072
Published Date	Oct 5, 2021
Severity	High
CVSSv3 Score	7.9
Impact	Escalation of privilege
CVE ID	CVE-2021-24019
CVRF	Download
Language

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

Session cookie does not expire after logout

Summary

Affected Products

Solutions

Acknowledgement

Timeline

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

Session cookie does not expire after logout

Summary

Affected Products

Solutions

Acknowledgement

Timeline

Threat Intelligence
Center