Severity

Medium

Analysis Summary

CVE-2020-29012

Fortinet FortiSandbox could allow a remote attacker to obtain sensitive information, caused by insufficient session expiration. By reusing the unexpired admin user session IDs, a remote attacker could exploit this vulnerability to obtain sensitive information about other users configured on the device and use this information to launch further attacks against the affected system.

Impact

• Information Theft

Affected Vendors

Fortinet

Affected Products

• Fortinet FortiSandbox 2.0.4
• Fortinet FortiSandbox 2.4.1
• Fortinet FortiSandbox 2.5.0
• Fortinet FortiSandbox 2.5.1
• Fortinet FortiSandbox 3.2.1
• Fortinet FortiSandbox 3.0.6

Remediation

Refer to FortiGuard Advisory FG-IR-20-070 for the patch, upgrade, or suggested workaround information.

https://www.fortiguard.com/psirt/FG-IR-20-070