FortiMail - Email account takeover in same web domain

Summary

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail may allow an authenticated attacker to login to other users accounts from the same web domain via crafted HTTP or HTTPs requests.
Version Affected Solution
FortiMail 7.4 Not affected Upgrade to 7.4.0 or above
FortiMail 7.2 7.2.0 through 7.2.2 Upgrade to 7.2.3 or above
FortiMail 7.0 7.0.0 through 7.0.5 Upgrade to 7.0.6 or above
FortiMail 6.4 6.4.0 through 6.4.7 Upgrade to 6.4.8 or above
FortiMail 6.2 6.2 all versions Migrate to a fixed release
FortiMail 6.0 6.0 all versions Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Hritik Sateesh from Fortinet's Burnaby Infosec team.

Timeline

2023-10-09: Initial publication