Vulnerabilities > Fortinet > Fortimail > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-01-22 CVE-2022-23439 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Fortinet products
A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.0 and before 7.0.5, FortiADC version 7.0.0 through 7.0.1 and before 6.2.3 , FortiDDoS before version 5.5.1, FortiDDoS-F before version 6.3.3, FortiTester before version 7.2.1, FortiSOAR before version 7.2.2 and FortiSwitch before version 6.3.3 allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver
network
low complexity
fortinet CWE-610
6.1
2025-01-14 CVE-2024-56497 OS Command Injection vulnerability in Fortinet Fortimail and Fortirecorder
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through 7.2.4 and 7.0.0 through 7.0.6 and 6.4.0 through 6.4.7, FortiRecorder versions 7.0.0 and 6.4.0 through 6.4.4 allows attacker to execute unauthorized code or commands via the CLI.
local
low complexity
fortinet CWE-78
6.7
2023-11-14 CVE-2023-36633 Incorrect Permission Assignment for Critical Resource vulnerability in Fortinet Fortimail
An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
network
low complexity
fortinet CWE-732
5.4
2023-10-10 CVE-2023-36637 Cross-site Scripting vulnerability in Fortinet Fortimail
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.
network
low complexity
fortinet CWE-79
5.4
2023-03-09 CVE-2022-29056 Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortimail
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
network
low complexity
fortinet CWE-307
5.3
2022-11-02 CVE-2022-39945 Authorization Bypass Through User-Controlled Key vulnerability in Fortinet Fortimail
An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).
network
low complexity
fortinet CWE-639
6.5
2022-09-06 CVE-2022-26114 Cross-site Scripting vulnerability in Fortinet Fortimail
An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
network
low complexity
fortinet CWE-79
6.1
2022-02-02 CVE-2021-43062 Cross-site Scripting vulnerability in Fortinet Fortimail
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service.
network
low complexity
fortinet CWE-79
6.1
2022-01-05 CVE-2020-15933 Information Exposure vulnerability in Fortinet Fortimail
A exposure of sensitive information to an unauthorized actor in Fortinet FortiMail versions 6.0.9 and below, FortiMail versions 6.2.4 and below FortiMail versions 6.4.1 and 6.4.0 allows attacker to obtain potentially sensitive software-version information via client-side resources inspection.
network
low complexity
fortinet CWE-200
5.3
2021-12-08 CVE-2021-32591 Unspecified vulnerability in Fortinet products
A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.
network
high complexity
fortinet
5.3