Authentication bypass in FortiMail and FortiVoiceEntreprise

Summary

An improper authentication vulnerability in FortiMail and FortiVoiceEntreprise may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface.

Affected Products

FortiMail versions 5.4.10 and below.
FortiMail versions 6.0.7 and below.
FortiMail versions 6.2.2 and below.
FortiVoiceEntreprise versions 6.0.1 and below.
FortiVoiceEntreprise 5.4 all versions.
 

FortiMail versions 5.3 and lower are not impacted by this vulnerability.
FortiVoiceEnterprise versions 5.3 and lower are not impacted by this vulnerability.
FortiMail Cloud has been upgraded to non-impacted versions.

Solutions

Please upgrade to FortiMail version 5.4.11 or above.
Please upgrade to FortiMail version 6.0.8 or above.
Please upgrade to FortiMail version 6.2.3 or above.
Please upgrade to FortiVoiceEntreprise version 6.0.2 or above.

Acknowledgement

Fortinet is pleased to thank Mike Connor for reporting this vulnerability under responsible disclosure.