ID

VAR-202004-1869


CVE

CVE-2020-9294


TITLE

FortiMail and FortiVoiceEntreprise Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-004913

DESCRIPTION

An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 and 6.0.1 may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface. FortiMail and FortiVoiceEntreprise There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Fortinet FortiMail and FortiVoice Entreprise are both products of Fortinet. FortiMail is a suite of email security gateway products. The product provides features such as email security and data protection. FortiVoice Entreprise is an enterprise unified communications solution. A security vulnerability exists in Fortinet FortiMail and FortiVoice Entreprise due to the program not properly authenticating identities. The following products and versions are affected: Fortinet FortiMail 5.4.10 and earlier, FortiMail 6.0.7 and earlier, FortiMail 6.2.2 and earlier; FortiVoice Entreprise 5.3 and later (version 6.0.2 has been fixed)

Trust: 1.8

sources: NVD: CVE-2020-9294 // JVNDB: JVNDB-2020-004913 // VULHUB: VHN-187419 // VULMON: CVE-2020-9294

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimailscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:6.0.7

Trust: 1.0

vendor:fortinetmodel:fortivoicescope:lteversion:6.0.1

Trust: 1.0

vendor:fortinetmodel:fortivoicescope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:6.2.2

Trust: 1.0

vendor:fortinetmodel:fortimailscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:5.4.10

Trust: 1.0

vendor:fortinetmodel:fortimailscope:eqversion:5.4.10

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:6.0.7

Trust: 0.8

vendor:fortinetmodel:fortimailscope:eqversion:6.2.2

Trust: 0.8

vendor:fortinetmodel:fortivoicescope:eqversion:6.0.0

Trust: 0.8

vendor:fortinetmodel:fortivoicescope:eqversion:6.0.1

Trust: 0.8

sources: JVNDB: JVNDB-2020-004913 // NVD: CVE-2020-9294

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-9294
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-004913
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202004-2193
value: CRITICAL

Trust: 0.6

VULHUB: VHN-187419
value: HIGH

Trust: 0.1

VULMON: CVE-2020-9294
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-9294
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-004913
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-187419
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-9294
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-004913
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-187419 // VULMON: CVE-2020-9294 // JVNDB: JVNDB-2020-004913 // CNNVD: CNNVD-202004-2193 // NVD: CVE-2020-9294

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-187419 // JVNDB: JVNDB-2020-004913 // NVD: CVE-2020-9294

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2193

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202004-2193

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-004913

PATCH

title:FG-IR-20-045url:https://fortiguard.com/psirt/FG-IR-20-045

Trust: 0.8

title:Fortinet FortiMail and FortiVoice Entreprise Remediation measures for authorization problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=117714

Trust: 0.6

sources: JVNDB: JVNDB-2020-004913 // CNNVD: CNNVD-202004-2193

EXTERNAL IDS

db:NVDid:CVE-2020-9294

Trust: 2.6

db:JVNDBid:JVNDB-2020-004913

Trust: 0.8

db:CNNVDid:CNNVD-202004-2193

Trust: 0.7

db:AUSCERTid:ESB-2020.1454

Trust: 0.6

db:CNVDid:CNVD-2020-32434

Trust: 0.1

db:VULHUBid:VHN-187419

Trust: 0.1

db:VULMONid:CVE-2020-9294

Trust: 0.1

sources: VULHUB: VHN-187419 // VULMON: CVE-2020-9294 // JVNDB: JVNDB-2020-004913 // CNNVD: CNNVD-202004-2193 // NVD: CVE-2020-9294

REFERENCES

url:https://fortiguard.com/psirt/fg-ir-20-045

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2020-9294

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9294

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.1454/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/287.html

Trust: 0.1

url:https://www.rapid7.com/db/modules/auxiliary/scanner/http/fortimail_login_bypass_detection/

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-187419 // VULMON: CVE-2020-9294 // JVNDB: JVNDB-2020-004913 // CNNVD: CNNVD-202004-2193 // NVD: CVE-2020-9294

CREDITS

Mike Connor

Trust: 0.6

sources: CNNVD: CNNVD-202004-2193

SOURCES

db:VULHUBid:VHN-187419
db:VULMONid:CVE-2020-9294
db:JVNDBid:JVNDB-2020-004913
db:CNNVDid:CNNVD-202004-2193
db:NVDid:CVE-2020-9294

LAST UPDATE DATE

2024-08-14T13:44:14.524000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-187419date:2020-05-04T00:00:00
db:VULMONid:CVE-2020-9294date:2024-01-18T00:00:00
db:JVNDBid:JVNDB-2020-004913date:2020-06-02T00:00:00
db:CNNVDid:CNNVD-202004-2193date:2020-05-06T00:00:00
db:NVDid:CVE-2020-9294date:2024-01-18T15:48:06.043

SOURCES RELEASE DATE

db:VULHUBid:VHN-187419date:2020-04-27T00:00:00
db:VULMONid:CVE-2020-9294date:2020-04-27T00:00:00
db:JVNDBid:JVNDB-2020-004913date:2020-06-02T00:00:00
db:CNNVDid:CNNVD-202004-2193date:2020-04-27T00:00:00
db:NVDid:CVE-2020-9294date:2020-04-27T17:15:13.593