Unsafe handling of CGI environment parameters in FML's web server framework
Summary
An improper input validation (CWE-20) vulnerability in the web server CGI facilities of FortiMail may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests.
Affected Products
FortiMail 7.0.0.
FortiMail 6.4.5 and below.
FortiMail 6.2.7 and below.
FortiMail 6.0.11 and below.
FortiMail 5.4.12 and below.
Solutions
Upgrade to FortiMail 7.0.1 or above.
Upgrade to FortiMail 6.4.6 or above.
Upgrade to FortiMail 6.2.8 or above.
Upgrade to FortiMail 6.0.12 or above.
Acknowledgement
Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.Timeline
2022-03-01: Initial publication