CVE-2021-26095

7.5HIGH

Key Information:

Vendor: Fortinet
Status: Fortinet Fortimail
Vendor: CVE Published:; 20 July 2021

Summary

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges.

Affected Version(s)

Fortinet FortiMail FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6

References

https://fortiguard.com/advisory/FG-IR-21-019

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 20, 2021
Vulnerability Reserved
Jan 25, 2021