Lucene search

FortinetCVELIST:CVE-2021-26095

HistoryJul 20, 2021 - 10:48 a.m.

CVE-2021-26095

2021-07-2010:48:06

fortinet

www.cve.org

fortimail

cryptographic issues

session management

remote attacker

privileges

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.004

Percentile

72.4%

JSON

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges.

CNA Affected

[
  {
    "product": "Fortinet FortiMail",
    "vendor": "Fortinet",
    "versions": [
      {
        "status": "affected",
        "version": "FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6"
      }
    ]
  }
]

References

fortiguard.com/advisory/FG-IR-21-019

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.004

Percentile

72.4%

JSON

Related for CVELIST:CVE-2021-26095