Headline
CVE-2021-22131: Fortiguard
A improper validation of certificate with host mismatch in Fortinet FortiTokenAndroid version 5.0.3 and below, Fortinet FortiTokeniOS version 5.2.0 and below, Fortinet FortiTokenWinApp version 4.0.3 and below allows attacker to retrieve information disclosed via man-in-the-middle attacks.
** PSIRT Advisories**
FortiTokenMobile - Missing digital certificate validation
Summary
An improper validation of certificate with host mismatch vulnerability [CWE-297] in FortiTokenMobile may allow an unauthenticated user to spoof the validation server identity and achieve a Man-in-the-Middle attack.
Affected Products
FortiTokenMobile for Android v5.0.3 or below is impacted
FortiTokenMobile for iOS v5.2.0 or below is impacted
FortiTokenMobile for Windows v4.0.3 or below is impacted
Solutions
Upgrade FortiTokenMobile for Android to version 5.1.0 or above
Upgrade FortiTokenMobile for iOS to version 5.3.0 or above
Upgrade FortiTokenMobile for Windows to version 4.1.0 or above