CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-26095
https://notcve.org/view.php?id=CVE-2021-26095
20 Jul 2021 — The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges. Una combinación de varios problemas criptográficos en la administración de sesiones de FortiMail versiones 6.4.0 hasta 6.4.4 y versiones 6.2.0 hasta 6.2.6, incluyéndo la const... • https://fortiguard.com/advisory/FG-IR-21-019 •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-24013
https://notcve.org/view.php?id=CVE-2021-24013
12 Jul 2021 — Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests. Múltiples vulnerabilidades de Salto de ruta en el Webmail de FortiMail versiones anteriores a 6.4.4, pueden permitir a un usuario normal conseguir acceso no autorizado a archivos y datos por medio de peticiones web específicamente diseñadas • https://fortiguard.com/advisory/FG-IR-21-014 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-24015
https://notcve.org/view.php?id=CVE-2021-24015
12 Jul 2021 — An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before 6.4.4 may allow an authenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Una vulnerabilidad de neutralización inapropiada de los elementos especiales usados en un Comando del Sistema Operativo en la interfaz administrativa de FortiMail versiones anteriores a 6.4.4 puede permitir a un atacante autenticado ejecutar comandos no autoriza... • https://fortiguard.com/advisory/FG-IR-21-021 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-26090
https://notcve.org/view.php?id=CVE-2021-26090
12 Jul 2021 — A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6 may allow an unauthenticated remote attacker to exhaust available memory via specifically crafted login requests. Una vulnerabilidad de falta de liberación de memoria después de su vida útil en el Webmail de FortiMail versiones 6.4.0 hasta 6.4.4 y versiones 6.2.0 hasta 6.2.6, puede permitir a un atacante remoto no autenticado agotar la memoria disponible por medio de... • https://fortiguard.com/advisory/FG-IR-21-042 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26099
https://notcve.org/view.php?id=CVE-2021-26099
12 Jul 2021 — Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext. Una falta de pasos criptográficos en el servicio de Cifrado Identity-Based de FortiMail versiones anteriores a 7.0.0 puede permitir a un atacante que entre en posesión de las claves maestras cifradas comprometer su confidencialidad al observar alg... • https://fortiguard.com/advisory/FG-IR-20-244 •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2021-24007
https://notcve.org/view.php?id=CVE-2021-24007
09 Jul 2021 — Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. Múltiples vulnerabilidades de neutralización inapropiada de elementos especiales de comandos SQL en FortiMail versiones anteriores a 6.4.4, pueden permitir a un atacante no autenticado ejecutar código o comandos no autorizados por medio de peticiones HTTP específicamente diseñadas • https://fortiguard.com/advisory/FG-IR-21-012 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-22129
https://notcve.org/view.php?id=CVE-2021-22129
09 Jul 2021 — Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail before 6.4.5 may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests. Múltiples instancias de cálculo incorrecto del tamaño del búfer en la interfaz Administrativa y de Correo web de FortiMail versiones anteriores a 6.4.5, pueden permitir a un atacante autenticado c... • https://fortiguard.com/advisory/FG-IR-21-023 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26100
https://notcve.org/view.php?id=CVE-2021-26100
09 Jul 2021 — A missing cryptographic step in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible. Una falta de paso criptográfico en el servicio Identity-Based Encryption de FortiMail versiones anteriores a 7.0.0, puede permitir a un atacante no autenticado que intercepte los mensajes encriptados manipularlos de tal manera que haga p... • https://fortiguard.com/advisory/FG-IR-21-003 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-24020
https://notcve.org/view.php?id=CVE-2021-24020
09 Jul 2021 — A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7 may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification. Una falta de paso criptográfico en la implementación del algoritmo hash digest en FortiMail versiones 6.4.0 hasta 6.4.4, y versiones 6.2.0 hasta 6.2.7, puede permitir a un atacante no autenticado manipular las URLs firmadas al añadir má... • https://fortiguard.com/advisory/FG-IR-21-027 • CWE-347: Improper Verification of Cryptographic Signature •