ID

VAR-202310-2207


CVE

CVE-2023-36556


TITLE

fortinet's  FortiMail  Fraud related to unauthorized authentication in

Trust: 0.8

sources: JVNDB: JVNDB-2023-014765

DESCRIPTION

An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below 6.4.7 allows an authenticated attacker to login on other users accounts from the same web domain via crafted HTTP or HTTPs requests. fortinet's FortiMail Exists in a fraudulent authentication vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiMail is a set of email security gateway products from the American company Fortinet. The product provides features such as email security and data protection. Fortinet FortiMail has an authorization issue vulnerability, which results from improper authorization of the product

Trust: 2.16

sources: NVD: CVE-2023-36556 // JVNDB: JVNDB-2023-014765 // CNVD: CNVD-2024-06288

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-06288

AFFECTED PRODUCTS

vendor:fortinetmodel:fortimailscope:eqversion:7.2.2

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:7.2.1

Trust: 1.6

vendor:fortinetmodel:fortimailscope:eqversion:7.2.0

Trust: 1.6

vendor:fortinetmodel:fortimailscope:lteversion:7.0.5

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:6.0.12

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:6.4.7

Trust: 1.0

vendor:fortinetmodel:fortimailscope:lteversion:6.2.9

Trust: 1.0

vendor:fortinetmodel:fortimailscope:gteversion:6.4.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:gteversion:6.0.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:gteversion:6.2.0

Trust: 1.0

vendor:fortinetmodel:fortimailscope:gteversion:7.0.0

Trust: 1.0

vendor:フォーティネットmodel:fortimailscope:eqversion: -

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope: - version: -

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:7.2.1

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:7.0.0 to 7.0.5

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:6.2.0 to 6.2.9

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:6.4.0 to 6.4.7

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:7.2.0

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:7.2.2

Trust: 0.8

vendor:フォーティネットmodel:fortimailscope:eqversion:6.0.0 to 6.0.12

Trust: 0.8

vendor:fortinetmodel:fortimailscope:gteversion:6.2.0,<=6.2.9

Trust: 0.6

vendor:fortinetmodel:fortimailscope:gteversion:6.0.0,<=6.0.12

Trust: 0.6

vendor:fortinetmodel:fortimailscope:gteversion:7.0.0,<=7.0.5

Trust: 0.6

vendor:fortinetmodel:fortimailscope:gteversion:6.4.0,<=6.4.7

Trust: 0.6

sources: CNVD: CNVD-2024-06288 // JVNDB: JVNDB-2023-014765 // NVD: CVE-2023-36556

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-36556
value: HIGH

Trust: 1.0

psirt@fortinet.com: CVE-2023-36556
value: HIGH

Trust: 1.0

NVD: CVE-2023-36556
value: HIGH

Trust: 0.8

CNVD: CNVD-2024-06288
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-06288
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2023-36556
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2023-36556
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2024-06288 // JVNDB: JVNDB-2023-014765 // NVD: CVE-2023-36556 // NVD: CVE-2023-36556

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.0

problemtype:Illegal authentication (CWE-863) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-014765 // NVD: CVE-2023-36556

PATCH

title:FG-IR-23-202url:https://fortiguard.com/psirt/FG-IR-23-202

Trust: 0.8

title:Patch for Fortinet FortiMail authorization issue vulnerability (CNVD-2024-06288)url:https://www.cnvd.org.cn/patchInfo/show/517601

Trust: 0.6

sources: CNVD: CNVD-2024-06288 // JVNDB: JVNDB-2023-014765

EXTERNAL IDS

db:NVDid:CVE-2023-36556

Trust: 3.2

db:JVNDBid:JVNDB-2023-014765

Trust: 0.8

db:CNVDid:CNVD-2024-06288

Trust: 0.6

sources: CNVD: CNVD-2024-06288 // JVNDB: JVNDB-2023-014765 // NVD: CVE-2023-36556

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2023-36556

Trust: 1.4

url:https://fortiguard.com/psirt/fg-ir-23-202

Trust: 1.0

sources: CNVD: CNVD-2024-06288 // JVNDB: JVNDB-2023-014765 // NVD: CVE-2023-36556

SOURCES

db:CNVDid:CNVD-2024-06288
db:JVNDBid:JVNDB-2023-014765
db:NVDid:CVE-2023-36556

LAST UPDATE DATE

2024-08-14T14:09:45.809000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2024-06288date:2024-01-29T00:00:00
db:JVNDBid:JVNDB-2023-014765date:2023-12-25T07:40:00
db:NVDid:CVE-2023-36556date:2023-11-07T04:16:37.820

SOURCES RELEASE DATE

db:CNVDid:CNVD-2024-06288date:2024-01-17T00:00:00
db:JVNDBid:JVNDB-2023-014765date:2023-12-25T00:00:00
db:NVDid:CVE-2023-36556date:2023-10-10T17:15:12.140