Headline
CVE-2023-36633: Fortiguard
An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
** PSIRT Advisories**
FortiMail - User can see and modify address book folders title of other users
Summary
An improper authorization vulnerability [CWE-285] in FortiMail webmail may allow an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.
Version
Affected
Solution
FortiMail 7.4
Not affected
Upgrade to 7.4.0 or above
FortiMail 7.2
7.2.0 through 7.2.2
Upgrade to 7.2.3 or above
FortiMail 7.0
7.0.0 through 7.0.5
Upgrade to 7.0.6 or above
FortiMail 6.4
6.4 all versions
Migrate to a fixed release
FortiMail 6.2
6.2 all versions
Migrate to a fixed release
FortiMail 6.0
6.0 all versions
Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Internally discovered and reported by Hritik Sateesh from Fortinet’s Burnaby Infosec team.
Timeline
2023-11-02: Initial publication