Vulnerabilities > CVE-2021-44166 - Unspecified vulnerability in Fortinet Fortitoken Mobile

CVSS 4.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

fortinet

NVD

Published: 2022-03-02

Updated: 2022-03-11

Summary

An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.

Vulnerable Configurations

Part	Description	Count
Application	Fortinet Fortinet Fortitoken Mobile 5.1.0 Fortinet Fortitoken Mobile 5.0.3 Fortinet Fortitoken Mobile 5.0.2 Fortinet Fortitoken Mobile 4.5.0 Fortinet Fortitoken Mobile 4.4.0 Fortinet Fortitoken Mobile 4.3.0 Fortinet Fortitoken Mobile 4.2.2 Fortinet Fortitoken Mobile 4.2.1 Fortinet Fortitoken Mobile 4.1.1 Fortinet Fortitoken Mobile 4.0.1 Fortinet Fortitoken Mobile 4.0.0	11

References

https://fortiguard.com/psirt/FG-IR-21-210