Vulnerabilities > Fortinet > Fortimail > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-11-14 CVE-2023-36633 Incorrect Permission Assignment for Critical Resource vulnerability in Fortinet Fortimail
An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
network
low complexity
fortinet CWE-732
5.4
2023-10-10 CVE-2023-36637 Cross-site Scripting vulnerability in Fortinet Fortimail
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to inject HTML tags in FortiMail's calendar via input fields.
network
low complexity
fortinet CWE-79
5.4
2023-03-09 CVE-2022-29056 Improper Restriction of Excessive Authentication Attempts vulnerability in Fortinet Fortimail
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
network
low complexity
fortinet CWE-307
5.3
2022-11-02 CVE-2022-39945 Authorization Bypass Through User-Controlled Key vulnerability in Fortinet Fortimail
An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).
network
low complexity
fortinet CWE-639
6.5
2022-09-06 CVE-2022-26114 Cross-site Scripting vulnerability in Fortinet Fortimail
An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.
network
low complexity
fortinet CWE-79
6.1
2022-02-02 CVE-2021-43062 Cross-site Scripting vulnerability in Fortinet Fortimail
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service.
network
low complexity
fortinet CWE-79
6.1
2022-01-05 CVE-2020-15933 Information Exposure vulnerability in Fortinet Fortimail
A exposure of sensitive information to an unauthorized actor in Fortinet FortiMail versions 6.0.9 and below, FortiMail versions 6.2.4 and below FortiMail versions 6.4.1 and 6.4.0 allows attacker to obtain potentially sensitive software-version information via client-side resources inspection.
network
low complexity
fortinet CWE-200
5.3
2021-12-08 CVE-2021-32591 Unspecified vulnerability in Fortinet products
A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets.
network
high complexity
fortinet
5.3
2021-12-08 CVE-2021-42757 Out-of-bounds Write vulnerability in Fortinet products
A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.
local
low complexity
fortinet CWE-787
6.7
2021-07-12 CVE-2021-24013 Path Traversal vulnerability in Fortinet Fortimail
Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests.
network
low complexity
fortinet CWE-22
6.5