{"api_version":"1","generated_at":"2026-04-23T10:40:33+00:00","cve":"CVE-2020-6644","urls":{"html":"https://cve.report/CVE-2020-6644","api":"https://cve.report/api/cve/CVE-2020-6644.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-6644","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-6644"},"summary":{"title":"CVE-2020-6644","description":"An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.","state":"PUBLIC","assigner":"psirt@fortinet.com","published_at":"2020-06-22 16:15:00","updated_at":"2020-06-29 01:20:00"},"problem_types":["CWE-613"],"metrics":[],"references":[{"url":"https://fortiguard.com/advisory/FG-IR-20-006","name":"https://fortiguard.com/advisory/FG-IR-20-006","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Session ID does not expire after logout in FortiDeceptor | FortiGuard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-6644","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-6644","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"6644","vulnerable":"1","versionEndIncluding":"3.0.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortideceptor","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-6644","ASSIGNER":"psirt@fortinet.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Fortinet","product":{"product_data":[{"product_name":"Fortinet FortiDeceptor","version":{"version_data":[{"version_value":"3.0.0 and below"},{"version_value":"Fixed in 3.0.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Escalation of privilege"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://fortiguard.com/advisory/FG-IR-20-006","url":"https://fortiguard.com/advisory/FG-IR-20-006"}]},"description":{"description_data":[{"lang":"eng","value":"An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks."}]}},"nvd":{"publishedDate":"2020-06-22 16:15:00","lastModifiedDate":"2020-06-29 01:20:00","problem_types":["CWE-613"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortideceptor:*:*:*:*:*:*:*:*","versionEndIncluding":"3.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"6644","Ordinal":"166907","Title":"CVE-2020-6644","CVE":"CVE-2020-6644","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"6644","Ordinal":"1","NoteData":"An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"6644","Ordinal":"2","NoteData":"2020-06-22","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"6644","Ordinal":"3","NoteData":"2020-06-22","Type":"Other","Title":"Modified"}]}}}