Cryptographic Implementation Flaw in FortiMail by Fortinet
CVE-2021-24020

7.5HIGH

Key Information:

Vendor: Fortinet
Status: Fortinet Fortimail
Vendor: CVE Published:; 9 July 2021

Summary

A significant flaw exists in FortiMail versions 6.4.0 through 6.4.4 and 6.2.0 through 6.2.7 due to a missing cryptographic step in the hash digest algorithm implementation. This weakness can be exploited by an unauthenticated attacker to manipulate signed URLs by appending additional data. As a result, the attacker could bypass the intended signature verification process, leading to potential security breaches and unauthorized access.

Affected Version(s)

Fortinet FortiMail FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7

References

https://fortiguard.com/advisory/FG-IR-21-027

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 9, 2021
Vulnerability Reserved
Jan 13, 2021