PT-2021-3662 · Fortinet · Fortimail

Published

2021-06-16

Updated

2023-08-08

CVE-2021-26095

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FortiMail versions 6.2.0 through 6.2.6 FortiMail versions 6.4.0 through 6.4.4

Description The issue is related to cryptographic problems in the session management of FortiMail, including the encryption construction of the session cookie. This may allow a remote attacker who already has a cookie to reveal, alter, or forge its content, potentially escalating privileges.

Recommendations For FortiMail versions 6.2.0 through 6.2.6, update to a version outside of this range to resolve the issue. For FortiMail versions 6.4.0 through 6.4.4, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to session management functions until a patch is available.

Fix

Inadequate Encryption Strength

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-326

Related Identifiers

BDU:2021-03895

CVE-2021-26095

Affected Products

Fortimail

PT-2021-3662 · Fortinet · Fortimail

CVE-2021-26095

Weakness Enumeration

Related Identifiers

Affected Products

References · 7