Http debug commands in FortiMail exposes users credentials to admins Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-15-009 Final 1 1 2015-04-10T00:00:00 Current version 2015-04-10T00:00:00 2015-04-10T00:00:00 FortiMail's "diag debug application httpd" set of commands can be used to capture the credentials entered in the admin WebGui and the webmail login page forms. The debug commands can be executed by super_admin users and admin users. Credentials Exposure FortiMail 5.0.3 to 5.2.3. Previous versions are not affected. Upgrade to 5.2.4.There is currently no workaround to disable the debug command in 5.1 and 5.0. CVE-2015-3293 https://fortiguard.fortinet.com/psirt/FG-IR-15-009 Http debug commands in FortiMail exposes users credentials to admins Reference>