SB2022030125 - Multiple vulnerabilities in Fortinet FortiMail

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-32586)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in the web server CGI  facilities. A remote non-authenticated attacker can send a specially crafted HTTP request and alter the environment of the underlying script interpreter.

2) Improper Authentication (CVE-ID: CVE-2021-36166)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a logic error. A remote attacker can guess administrator's authentication token by observing certain system properties. bypass authentication and gain full access to the system.

Remediation

Install update from vendor's website.

References

• https://fortiguard.com/psirt/FG-IR-21-008
• https://fortiguard.com/psirt/FG-IR-21-028