[FortiProxy] Insecure Storage of local SSL VPN session info
Summary
A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiProxy SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's credentials, should that attacker be able to read the session file stored on the targeted device's system. To successfully exploit this weakness, another unrelated weakness (eg: a system file leaking vulnerability) would need to be exploited first.
Affected Products
FortiProxy version 2.0.0
FortiProxy versions 1.2.9 and below.
FortiProxy versions 1.1.6 and below.
FortiProxy versions 1.0.7 and below.
Solutions
Please upgrade to FortiProxy versions 2.0.1 or above.
Please upgrade to FortiProxy versions 1.2.10 or above.
Timeline
2021-03-02: Initial publication