Inadequate encryption strength in FortiMail - CVE-2021-26095

 

Inadequate encryption strength in FortiMail - CVE-2021-26095

Published: July 13, 2021


Vulnerability identifier: #VU54772
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-26095
CWE-ID: CWE-326
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Fortinet, Inc
Affected software:
FortiMail

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to a combination of various cryptographic issues in the session management of FortiMail, including the encryption construction of the session cookie. A remote user with possession of a valid session cookie can decrypt it and reveal or alter its content.

Successful exploitation of the vulnerability may allow an attacker to escalate privileges on the system.


How to mitigate CVE-2021-26095

Install updates from vendor's website.

Sources