Unsafe handling of CGI environment parameters in FML's web server framework

Summary

An improper input validation (CWE-20) vulnerability in the web server CGI facilities of FortiMail may allow an unauthenticated attacker to alter the environment of the underlying script interpreter via specifically crafted HTTP requests.

Affected Products

FortiMail 7.0.0.
FortiMail 6.4.5 and below.
FortiMail 6.2.7 and below.
FortiMail 6.0.11 and below.
FortiMail 5.4.12 and below.

Solutions

Upgrade to FortiMail 7.0.1 or above.
Upgrade to FortiMail 6.4.6 or above.
Upgrade to FortiMail 6.2.8 or above.
Upgrade to FortiMail 6.0.12 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.

Timeline

2022-03-01: Initial publication