FortiMail - Inter-domain information leakage

Summary

An improper access control vulnerability [CWE-284] in FortiMail may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).

Affected Products

FortiMail version 7.2.0
FortiMail version 7.0.0 through 7.0.3
FortiMail version 6.4.0 through 6.4.7
FortiMail version 6.2.0 through 6.2.9
FortiMail version 6.0.0 through 6.0.12

Solutions

Please upgrade to FortiMail version 7.2.1 or above
Please upgrade to FortiMail version 7.0.4 or above

Acknowledgement

Fortinet is pleased to thank Abdulmohsen Naser Alotaibi from National Information Center - Deem for reporting this vulnerability under responsible disclosure.