FortiMail - Unsafe handling of CGI environment parameters in web server framework


An improper input validation (CWE-20) vulnerability in the web server CGI  facilities of FortiMail may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests.

Affected Products

FortiMail 7.0.0.
FortiMail 6.4.5 and below.
FortiMail 6.2.7 and below.
FortiMail 6.0.11 and below.
FortiMail 5.4.12 and below.


Upgrade to FortiMail 7.0.1 or above.
Upgrade to FortiMail 6.4.6 or above.
Upgrade to FortiMail 6.2.8 or above.
Upgrade to FortiMail 6.0.12 or above.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.