FortiMail's SaltHash vulnerable to extension attacks Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-027 Final 1 1 2021-07-07T00:00:00 Current version 2021-07-07T00:00:00 2021-07-07T00:00:00 A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail may allow an unauthenticated attacker to tamper with signed URLs by appending further data which allows bypass of signature verification. Improper access control FortiMail 6.4.4 and below,FortiMail 6.2.6 and below. Upgrade to FortiMail version 7.0.0.Upgrade to FortiMail version 6.4.5. Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team. CVE-2021-24020 6.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-027 FortiMail's SaltHash vulnerable to extension attacks Reference>