CVE-2023-33302 — Classic Buffer Overflow in Fortinet Fortimail

CWE-120 — Classic Buffer Overflow4 documents4 sources

Severity

8.8HIGHNVD

CNA4.7

EPSS

0.4%

top 41.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortimail Fortinet Fortindr

Timeline

PublishedMar 31

Description

A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiMail webmail and administrative interface version 6.4.0 through 6.4.4 and before 6.2.6 and FortiNDR administrative interface version 7.2.0 and before 7.1.0 allows an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDfortinet/fortindr1.1.0 — 7.2.1

▶NVDfortinet/fortimail6.0.0 — 6.0.11+3

▶CVEListV5fortinet/fortindr7.0.0 — 7.0.6+7

▶CVEListV5fortinet/fortimail6.4.0 — 6.4.4+8

🔴Vulnerability Details

CVEList

CVE-2023-33302: A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiMail webmail and administrative interface version 6↗2025-03-31

▶

GHSA

GHSA-3rq3-6pw2-f97f: A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiMail webmail and administrative interface version 6↗2025-03-31

▶

📋Vendor Advisories

Fortinet

Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail befo...↗2021-07-09

▶