Severity
Medium
Analysis Summary
CVE-2021-24019
Fortinet FortiClientEMS could allow a remote attacker to gain elevated privileges on the system, caused by insufficient session expiration. By reusing unexpired admin user session IDs, an attacker could exploit this vulnerability to gain administrative privileges.
CVE-2021-24021
Fortinet FortiAnalyzer is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Column settings of LogView. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Impact
- Privilege Escalation
- Cross-Site Scripting
Affected Vendors
Fortinet
Affected Products
- Fortinet FortiClient EMS 6.2.1
- Fortinet FortiClientEMS 6.4.1
- Fortinet FortiAnalyzer 5.0.4
- Fortinet FortiAnalyzer 5.0.6
- Fortinet FortiAnalyzer 5.2.1
- Fortinet FortiAnalyzer 5.2.0
- Fortinet FortiAnalyzer 5.0.11
- Fortinet FortiAnalyzer 5.0.0
- Fortinet FortiAnalyzer 5.2.5
- Fortinet FortiAnalyzer 5.0.12
- Fortinet FortiAnalyzer 5.4.0
- Fortinet FortiAnalyzer 5.2.2
- Fortinet FortiAnalyzer 5.4.2
- Fortinet FortiAnalyzer 5.4.1
- Fortinet FortiAnalyzer 6.0.0
- Fortinet FortiAnalyzer 5.6.4
- Fortinet FortiAnalyzer 5.6.0
- Fortinet FortiAnalyzer 6.2.3
- Fortinet FortiAnalyzer 6.2.0
- Fortinet FortiAnalyzer 6.2.1
- Fortinet FortiAnalyzer 6.2.2
- Fortinet FortiAnalyzer 5.6.10
- Fortinet FortiAnalyzer 6.0.10
- Fortinet FortiAnalyzer 6.2.7
Remediation
Refer to Fortinet FortiClientEMS Advisory for patch, upgrade, or suggested workaround information.
Refer to Fortinet FortiAnalyzer Advisory for patch, upgrade, or suggested workaround information.