An improper access control vulnerability [CWE-284] in FortiMail may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).
Affected ProductsFortiMail version 7.2.0
FortiMail version 7.0.0 through 7.0.3
FortiMail version 6.4.0 through 6.4.7
FortiMail version 6.2.0 through 6.2.9
FortiMail version 6.0.0 through 6.0.12
SolutionsPlease upgrade to FortiMail version 7.2.1 or above
Please upgrade to FortiMail version 7.0.4 or above