Vulnerabilities > Fortinet > Fortimail > 6.4.5

DATE CVE VULNERABILITY TITLE RISK
2022-03-01 CVE-2021-32586 Improper Input Validation vulnerability in Fortinet Fortimail
An improper input validation vulnerability in the web server CGI facilities of FortiMail before 7.0.1 may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests.
network
low complexity
fortinet CWE-20
critical
9.8
2022-03-01 CVE-2021-36166 Use of Insufficiently Random Values vulnerability in Fortinet Fortimail
An improper authentication vulnerability in FortiMail before 7.0.1 may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties.
network
low complexity
fortinet CWE-330
critical
9.8
2022-02-02 CVE-2021-43062 Cross-site Scripting vulnerability in Fortinet Fortimail
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service.
network
low complexity
fortinet CWE-79
6.1
2021-12-08 CVE-2021-32591 Unspecified vulnerability in Fortinet products
A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.
network
high complexity
fortinet
5.3
2021-12-08 CVE-2021-42757 Out-of-bounds Write vulnerability in Fortinet products
A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.
local
low complexity
fortinet CWE-787
6.7
2021-07-20 CVE-2021-26095 Unspecified vulnerability in Fortinet Fortimail
The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges.
network
low complexity
fortinet
8.8
2021-07-12 CVE-2021-26090 Memory Leak vulnerability in Fortinet Fortimail
A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6 may allow an unauthenticated remote attacker to exhaust available memory via specifically crafted login requests.
network
low complexity
fortinet CWE-401
7.5
2021-07-12 CVE-2021-26099 Unspecified vulnerability in Fortinet Fortimail
Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext.
network
low complexity
fortinet
4.9
2021-07-09 CVE-2021-22129 Classic Buffer Overflow vulnerability in Fortinet Fortimail
Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail before 6.4.5 may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests.
network
low complexity
fortinet CWE-120
8.8
2021-07-09 CVE-2021-24020 Improper Verification of Cryptographic Signature vulnerability in Fortinet Fortimail
A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification.
network
low complexity
fortinet CWE-347
critical
9.8