FortiMail - Inter-domain information leakage


An improper access control vulnerability [CWE-284] in FortiMail may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).

Affected Products

FortiMail version 7.2.0
FortiMail version 7.0.0 through 7.0.3
FortiMail version 6.4.0 through 6.4.7
FortiMail version 6.2.0 through 6.2.9
FortiMail version 6.0.0 through 6.0.12


Please upgrade to FortiMail version 7.2.1 or above
Please upgrade to FortiMail version 7.0.4 or above


Fortinet is pleased to thank Abdulmohsen Naser Alotaibi from National Information Center - Deem for reporting this vulnerability under responsible disclosure.