Vulnerabilities > Fortinet > Fortimail > 6.4.8

DATE CVE VULNERABILITY TITLE RISK
2025-01-22 CVE-2022-23439 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Fortinet products
A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.0 and before 7.0.5, FortiADC version 7.0.0 through 7.0.1 and before 6.2.3 , FortiDDoS before version 5.5.1, FortiDDoS-F before version 6.3.3, FortiTester before version 7.2.1, FortiSOAR before version 7.2.2 and FortiSwitch before version 6.3.3 allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver
network
low complexity
fortinet CWE-610
6.1
2023-11-14 CVE-2023-36633 Incorrect Permission Assignment for Critical Resource vulnerability in Fortinet Fortimail
An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
network
low complexity
fortinet CWE-732
5.4
2023-11-14 CVE-2023-45582 Unspecified vulnerability in Fortinet Fortimail
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 and before 6.4.8 may allow an unauthenticated attacker to  perform a brute force attack on the affected endpoints via repeated login attempts.
network
low complexity
fortinet
7.3
2022-09-06 CVE-2022-26114 Cross-site Scripting vulnerability in Fortinet Fortimail
An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
network
low complexity
fortinet CWE-79
6.1
2021-07-12 CVE-2021-26099 Unspecified vulnerability in Fortinet Fortimail
Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext.
network
low complexity
fortinet
4.9
2021-07-09 CVE-2021-26100 Improper Verification of Cryptographic Signature vulnerability in Fortinet Fortimail
A missing cryptographic step in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible.
network
low complexity
fortinet CWE-347
7.5