CVE-2021-43062

Name of the Vulnerable Software and Affected Versions Fortinet FortiMail versions 7.0.1 through 7.0.0 Fortinet FortiMail versions 6.4.5 and below Fortinet FortiMail versions 6.3.7 and below Fortinet FortiMail versions 6.0.11 and below

Description The issue is related to an improper neutralization of input during web page generation, also known as cross-site scripting. This allows an attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service. The attacker can perform an XSS attack, potentially allowing them to execute arbitrary code.

Recommendations For Fortinet FortiMail versions 7.0.1 and 7.0.0, consider disabling access to the FortiGuard URI protection service until a patch is available. For Fortinet FortiMail versions 6.4.5 and below, restrict access to the FortiGuard URI protection service to minimize the risk of exploitation. For Fortinet FortiMail versions 6.3.7 and below, avoid using crafted HTTP GET requests to the FortiGuard URI protection service until the issue is resolved. For Fortinet FortiMail versions 6.0.11 and below, consider implementing additional security measures to protect against cross-site scripting attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.