CVE-2023-36556

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

8.8HIGH

EPSS

0.3%

top 49.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortimail

Timeline

PublishedOct 10

Description

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via crafted HTTP or HTTPs requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5fortinet/fortimail7.2.0 — 7.2.2+4

▶NVDfortinet/fortimail6.0.0 — 6.0.12+6

🔴Vulnerability Details

GHSA

GHSA-j5v9-j38h-gcff: An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7↗2023-10-10

▶

CVEList

CVE-2023-36556: An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7↗2023-10-10

▶

📋Vendor Advisories

Fortinet

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 throu...↗2023-10-10

▶