FortiMail IDOR Access Control Bypass in 6.07.2.0
CVE-2022-39945 Published on November 2, 2022
An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an authenticated admin user assigned to a specific domain to access and modify other domains information via insecure direct object references (IDOR).
Vulnerability Analysis
CVE-2022-39945 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Products Associated with CVE-2022-39945
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-39945 are published in Fortinet Fortimail:
Affected Versions
Fortinet FortiMail Version FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all versions is affected by CVE-2022-39945Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.