CVE-2021-26095

CWE-327Broken Cryptographic Algorithm4 documents4 sources
Severity
8.8HIGH
EPSS
0.3%
top 46.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortimailFortinet Fortinet Fortimail
Timeline
PublishedJul 20
Latest updateMay 24

Description

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDfortinet/fortimail6.4.06.4.5+1
CVEListV5fortinet/fortinet_fortimailFortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6

🔴Vulnerability Details

2
GHSA
GHSA-287r-v59r-8g28: The combination of various cryptographic issues in the session management of FortiMail 62022-05-24
CVEList
CVE-2021-26095: The combination of various cryptographic issues in the session management of FortiMail 62021-07-20

📋Vendor Advisories

1
Fortinet
The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 thr...2021-07-20
CVE-2021-26095 (HIGH CVSS 8.8) | The combination of various cryptogr | cvebase.io