====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN231
_____________________________________________________________________

DATE                : 28/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems runningFortiMail versions prior to 5.4.11,
                                        6.0.8, 6.2.3,
                     FortiVoiceEntreprise versions  prior to 6.0.2.

=====================================================================
https://fortiguard.com/psirt/FG-IR-20-045
_____________________________________________________________________


Authentication bypass in FortiMail and FortiVoiceEntreprise


Summary

An improper authentication vulnerability in FortiMail and
FortiVoiceEntreprise may allow a remote unauthenticated attacker to
access the system as a legitimate user by requesting a password change
via the user interface.


Impact

Improper Access Control


Affected Products

FortiMail versions 5.4.10 and below.
FortiMail versions 6.0.7 and below.
FortiMail versions 6.2.2 and below.

FortiVoiceEntreprise versions 6.0.1 and below.
FortiVoiceEnterprise versions 5.3 and lower are not impacted by this
vulnerability.


Solutions

Please upgrade to FortiMail version 5.4.11 or above.
Please upgrade to FortiMail version 6.0.8 or above.
Please upgrade to FortiMail version 6.2.3 or above.

Please upgrade to FortiVoiceEntreprise version 6.0.2 or above.


Acknowledgement

Fortinet is pleased to thank Mike Connor for reporting this
vulnerability under responsible disclosure.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================