CVE-2021-42761

Summary

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiWeb6.4.0 <= 6.4.2affected
FortinetFortiWeb6.3.0 <= 6.3.16affected
FortinetFortiWeb6.2.0 <= 6.2.6affected
FortinetFortiWeb6.1.0 <= 6.1.2affected
FortinetFortiWeb6.0.0 <= 6.0.7affected
FortinetFortiWeb5.9.0 <= 5.9.1affected
FortinetFortiWeb5.8.5 <= 5.8.7affected
FortinetFortiWeb5.8.0 <= 5.8.3affected
FortinetFortiWeb5.7.0 <= 5.7.3affected
FortinetFortiWeb5.6.0 <= 5.6.2affected

Weaknesses

  • CWE-384: Improper access control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References