Email account takeover in same web domain


An incorrect authorization vulnerability [CWE-863] in FortiMail webmail may allow an authenticated attacker to login to other users accounts from the same web domain via crafted HTTP or HTTPs requests.

Version Affected Solution
FortiMail 7.4 Not affected Not Applicable
FortiMail 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiMail 7.0 7.0.0 through 7.0.5 Upgrade to 7.0.6 or above
FortiMail 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiMail 6.2 6.2 all versions Migrate to a fixed release
FortiMail 6.0 6.0 all versions Migrate to a fixed release


Internally discovered and reported by Hritik Sateesh from Fortinet's Burnaby Infosec team.


2023-10-09: Initial publication