CVE-2024-27779

Summary

An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSandbox4.4.0 <= 4.4.4affected
FortinetFortiSandbox4.2.1 <= 4.2.6affected
FortinetFortiSandbox4.0.0 <= 4.0.6affected
FortinetFortiSandbox3.2.0 <= 3.2.4affected
FortinetFortiIsolator2.4.0 <= 2.4.4affected
FortinetFortiIsolator2.3.0 <= 2.3.4affected
FortinetFortiIsolator2.2.0affected
FortinetFortiIsolator2.1.0 <= 2.1.2affected
FortinetFortiIsolator2.0.0 <= 2.0.1affected
FortinetFortiIsolator1.2.0 <= 1.2.2affected

Weaknesses

  • CWE-613: Improper access control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References