A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fortiweb | Fortinet | 5.6.0 (including) | 5.9.2 (excluding) |
| Fortiweb | Fortinet | 6.0.0 (including) | 6.0.8 (excluding) |
| Fortiweb | Fortinet | 6.1.0 (including) | 6.1.3 (excluding) |
| Fortiweb | Fortinet | 6.2.0 (including) | 6.2.7 (excluding) |
| Fortiweb | Fortinet | 6.3.0 (including) | 6.3.17 (excluding) |
| Fortiweb | Fortinet | 6.4.0 (including) | 7.0.0 (excluding) |
Such a scenario is commonly observed when: