Skip to main content

Fortimail CVE-2023-36556

HIGH
Incorrect Authorization (CWE-863)
2023-10-10 psirt@fortinet.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 10, 2023 - 17:15 nvd
HIGH 8.8

DescriptionNVD

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via crafted HTTP or HTTPs requests.

AnalysisAI

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via crafted HTTP or HTTPs requests. Affected products include: Fortinet Fortimail. Version information: version 7.2.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2020-9294 CRITICAL POC
9.8 Apr 27

An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 an

CVE-2023-47539 CRITICAL
9.8 Mar 18

An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wil

CVE-2021-24020 CRITICAL
9.8 Jul 09

A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.

CVE-2021-24007 CRITICAL
9.8 Jul 09

Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow

CVE-2013-1471 MEDIUM POC
4.3 Feb 04

Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMai

CVE-2021-26095 HIGH
8.8 Jul 20

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 thr

CVE-2021-24015 HIGH
8.8 Jul 12

An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of Fo

CVE-2021-22129 HIGH
8.8 Jul 09

Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail befo

CVE-2022-26122 HIGH
8.6 Nov 02

An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engin

CVE-2014-8617 MEDIUM POC
4.3 Mar 04

Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMai

CVE-2022-22299 HIGH
7.8 Aug 05

A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiAD

CVE-2021-26091 HIGH
7.5 Mar 24

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Base

Share

CVE-2023-36556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy