CVE-2020-9294

Name of the Vulnerable Software and Affected Versions FortiMail versions 5.4.10 and earlier, 6.0.7 and earlier, 6.2.2 and earlier FortiVoiceEntreprise versions 6.0.0 and 6.0.1

Description The issue is related to weaknesses in the authentication procedure of the email protection system. It may allow a remote attacker to gain elevated privileges by requesting a password change through the user interface. This could enable the attacker to access the system as a legitimate user.

Recommendations For FortiMail versions 5.4.10 and earlier, 6.0.7 and earlier, 6.2.2 and earlier, consider disabling the password change feature via the user interface until a patch is available. For FortiVoiceEntreprise versions 6.0.0 and 6.0.1, restrict access to the user interface to minimize the risk of exploitation. As a temporary workaround, avoid using the password change feature in the affected systems until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.