Description
FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258 on Linux proceed with an SSL session after determining that the server's X.509 certificate is invalid, which allows man-in-the-middle attackers to obtain sensitive information by leveraging a password transmission that occurs before the user warning about the certificate problem.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
http://www.fortiguard.com/advisory/Potential-Man-In-The-Middle-Vulnerability-in-FortiClient-VPN/
Various Sources x_refsource_misc
http://objectif-securite.ch/forticlient_bulletin.php
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/59604
Third Party Advisory mailing-list
x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0001.html
Scores
EPSS
0.0019
EPSS Percentile
40.1%
Details
CWE
CWE-255
CWE-310
Status
published
Products (3)
fortinet/forticlient
< 4.3.3.445
fortinet/forticlient_lite
< 4.3.3.445
fortinet/forticlient_ssl_vpn
< 4.0.2012
Published
Jun 25, 2013
Tracked Since
Feb 18, 2026