Summary
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.
Version |
Affected |
Solution |
FortiMail 7.4 |
7.4.0 |
Upgrade to 7.4.1 or above |
FortiMail 7.2 |
7.2.0 through 7.2.4 |
Upgrade to 7.2.5 or above |
FortiMail 7.0 |
7.0.0 through 7.0.6 |
Upgrade to 7.0.7 or above |
FortiMail 6.4 |
6.4.0 through 6.4.8 |
Upgrade to 6.4.9 or above |
FortiMail 6.2 |
6.2 all versions |
Migrate to a fixed release |
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Fortinet is pleased to thank the customer who reported this vulnerability under responsible disclosure.
Timeline
2023-11-13: Initial publication