Vulnerabilities > CVE-2021-44166 - Unspecified vulnerability in Fortinet Fortitoken Mobile

CVSS 3.5 - LOW

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

fortinet

NVD

Published: 2022-03-02

Updated: 2022-03-11

Summary

An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification 5.1.0 and below may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.

Vulnerable Configurations

Part	Description	Count
Application	Fortinet Fortinet Fortitoken Mobile 4.0.0 Fortinet Fortitoken Mobile 4.0.1 Fortinet Fortitoken Mobile 4.1.1 Fortinet Fortitoken Mobile 4.2.1 Fortinet Fortitoken Mobile 4.2.2 Fortinet Fortitoken Mobile 4.3.0 Fortinet Fortitoken Mobile 4.4.0 Fortinet Fortitoken Mobile 4.5.0 Fortinet Fortitoken Mobile 5.0.2 Fortinet Fortitoken Mobile 5.0.3 Fortinet Fortitoken Mobile 5.1.0	11

References

https://fortiguard.com/psirt/FG-IR-21-210