An improper authorization vulnerability [CWE-285] in FortiMail webmail may allow an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
|FortiMail 7.4||Not affected||Upgrade to 7.4.0 or above|
|FortiMail 7.2||7.2.0 through 7.2.2||Upgrade to 7.2.3 or above|
|FortiMail 7.0||7.0.0 through 7.0.5||Upgrade to 7.0.6 or above|
|FortiMail 6.4||6.4 all versions||Migrate to a fixed release|
|FortiMail 6.2||6.2 all versions||Migrate to a fixed release|
|FortiMail 6.0||6.0 all versions||Migrate to a fixed release|
AcknowledgementInternally discovered and reported by Hritik Sateesh from Fortinet's Burnaby Infosec team.
2023-11-02: Initial publication