CVE-2021-26095

CVE Database · CVE-2021-26095

CVE-2021-26095

· HIGHModified

CVSS v3.1

7.5

EPSS

0.69%

Published

Jul 20, 2021

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6, including the encryption construction of the session cookie, may allow a remote attacker already in possession of a cookie to possibly reveal and alter or forge its content, thereby escalating privileges.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products (2)

fortinet · fortimailvulnerable

fortinet · fortimail (up to 6.4.5)vulnerable

References (2)

https://fortiguard.com/advisory/FG-IR-21-019

Vendor Advisory

https://fortiguard.com/advisory/FG-IR-21-019

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs