TTCSIRT-311.050420: TT-CSIRT ADVISORY – AUTHENTICATION BYPASS IN FORTIMAIL AND FORTIVOICE ENTERPRISE
An improper authentication vulnerability in FortiMail and FortiVoiceEntreprise may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface.
As a result, this can lead to Improper Access Control.
Products Affected:
FortiMail versions 5.4.10 and below.
FortiMail versions 6.0.7 and below.
FortiMail versions 6.2.2 and below.
FortiVoiceEntreprise versions 6.0.1 and below.
FortiMail versions 5.3 and lower are not impacted by this vulnerability.
FortiVoiceEnterprise versions 5.3 and lower are not impacted by this vulnerability.
FortiMail Cloud has been upgraded to non-impacted versions.
Solutions:
Please upgrade to FortiMail version 5.4.11 or above.
Please upgrade to FortiMail version 6.0.8 or above.
Please upgrade to FortiMail version 6.2.3 or above.
Please upgrade to FortiVoiceEntreprise version 6.0.2 or above.
The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) encourages users and administrators to review and apply the necessary updates.