CVE-2021-24019 Information

Description

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges should the attacker be able to obtain that session ID (via other hypothetical attacks)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://fortiguard.com/advisory/FG-IR-20-072

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8