CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-36166
https://notcve.org/view.php?id=CVE-2021-36166
01 Mar 2022 — An improper authentication vulnerability in FortiMail before 7.0.1 may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties. Una vulnerabilidad de autenticación inapropiada en FortiMail versiones anteriores a 7.0.1, puede permitir a un atacante remoto adivinar eficazmente el token de autenticación de una cuenta administrativa mediante la observación de determinadas propiedades del sistema. • https://fortiguard.com/psirt/FG-IR-21-028 • CWE-330: Use of Insufficiently Random Values •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 3CVE-2021-43062 – Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-43062
02 Feb 2022 — A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service. Una neutralización inapropiada de la entrada durante la generación de la página web ("cross-site scripting") en Fortinet FortiMail versiones 7.0.1 y 7.0.0, versiones 6.4.5 y ... • https://packetstorm.news/files/id/166055 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2020-15933
https://notcve.org/view.php?id=CVE-2020-15933
05 Jan 2022 — A exposure of sensitive information to an unauthorized actor in Fortinet FortiMail versions 6.0.9 and below, FortiMail versions 6.2.4 and below FortiMail versions 6.4.1 and 6.4.0 allows attacker to obtain potentially sensitive software-version information via client-side resources inspection. Una exposición de información confidencial a un actor no autorizado en Fortinet FortiMail versiones 6.0.9 y anteriores, FortiMail versiones 6.2.4 y anteriores FortiMail versiones 6.4.1 y 6.4.0, permite a un atacante co... • https://fortiguard.com/psirt/FG-IR-20-105 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 22EXPL: 0CVE-2021-32591
https://notcve.org/view.php?id=CVE-2021-32591
08 Dec 2021 — A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail 7.0.1 and earlier may allow an attacker in possession of the password store to compromise the confidentiality of the encrypted secrets. Una vulnerabilidad de pasos criptográficos faltantes en la función que cifra las credenciales LDAP y RADIUS de los usuarios en FortiSandbox versiones anteriores a 4.0.1, FortiWeb v... • https://fortiguard.com/advisory/FG-IR-20-222 •
CVSS: 6.7EPSS: 0%CPEs: 30EXPL: 0CVE-2021-42757
https://notcve.org/view.php?id=CVE-2021-42757
08 Dec 2021 — A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments. Un desbordamiento de búfer [CWE-121] en la biblioteca del cliente TFTP de FortiOS versiones anteriores a 6.4.7 y FortiOS versiones 7.0.0 hasta 7.0.2, puede permitir a un atacante local autenticado lograr una ejecución de código arbitrario por medio de argumentos de línea de c... • https://fortiguard.com/advisory/FG-IR-21-173 • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-26095
https://notcve.org/view.php?id=CVE-2021-26095
20 Jul 2021 — The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges. Una combinación de varios problemas criptográficos en la administración de sesiones de FortiMail versiones 6.4.0 hasta 6.4.4 y versiones 6.2.0 hasta 6.2.6, incluyéndo la const... • https://fortiguard.com/advisory/FG-IR-21-019 •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-24013
https://notcve.org/view.php?id=CVE-2021-24013
12 Jul 2021 — Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests. Múltiples vulnerabilidades de Salto de ruta en el Webmail de FortiMail versiones anteriores a 6.4.4, pueden permitir a un usuario normal conseguir acceso no autorizado a archivos y datos por medio de peticiones web específicamente diseñadas • https://fortiguard.com/advisory/FG-IR-21-014 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-24015
https://notcve.org/view.php?id=CVE-2021-24015
12 Jul 2021 — An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before 6.4.4 may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Una vulnerabilidad de neutralización inapropiada de los elementos especiales usados en un Comando del Sistema Operativo en la interfaz administrativa de FortiMail versiones anteriores a 6.4.4 puede permitir a un atacante autenticado ejecutar comandos no autoriza... • https://fortiguard.com/advisory/FG-IR-21-021 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-26090
https://notcve.org/view.php?id=CVE-2021-26090
12 Jul 2021 — A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6 may allow an unauthenticated remote attacker to exhaust available memory via specifically crafted login requests. Una vulnerabilidad de falta de liberación de memoria después de su vida útil en el Webmail de FortiMail versiones 6.4.0 hasta 6.4.4 y versiones 6.2.0 hasta 6.2.6, puede permitir a un atacante remoto no autenticado agotar la memoria disponible por medio de... • https://fortiguard.com/advisory/FG-IR-21-042 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26099
https://notcve.org/view.php?id=CVE-2021-26099
12 Jul 2021 — Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext. Una falta de pasos criptográficos en el servicio de Cifrado Identity-Based de FortiMail versiones anteriores a 7.0.0 puede permitir a un atacante que entre en posesión de las claves maestras cifradas comprometer su confidencialidad al observar alg... • https://fortiguard.com/advisory/FG-IR-20-244 •