CVE-2023-36633 - OpenCVE

An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Fortinet	Fortimail

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortimail::::::::
	cpe:2.3:a:fortinet:fortimail::::::::

References

Link	Resource
https://fortiguard.com/psirt/FG-IR-23-203	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: fortinet

Published: 2023-11-14T18:07:46.082Z

Updated: 2023-11-14T18:07:46.082Z

Reserved: 2023-06-25T18:03:39.225Z

Link: CVE-2023-36633

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-14T18:15:49.107

Modified: 2023-11-20T18:42:29.633

Link: CVE-2023-36633

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "1068FC83-F326-45AA-BB89-1A8C05A1E8B5", "versionEndExcluding": "7.0.6", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A21C673-9ED8-4D8F-838F-F587CFC57715", "versionEndExcluding": "7.2.3", "versionStartIncluding": "7.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated attacker to see and modify the title of address book folders of other users via crafted HTTP or HTTPs requests."}, {"lang": "es", "value": "Una vulnerabilidad de autorizaci\u00f3n inadecuada [CWE-285] en el correo web FortiMail versi\u00f3n 7.2.0 a 7.2.2 y anteriores a 7.0.5 permite a un atacante autenticado ver y modificar el t\u00edtulo de las carpetas de la libreta de direcciones de otros usuarios a trav\u00e9s de solicitudes HTTP o HTTP manipuladas."}], "id": "CVE-2023-36633", "lastModified": "2023-11-20T18:42:29.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2023-11-14T18:15:49.107", "references": [{"source": "psirt@fortinet.com", "tags": ["Vendor Advisory"], "url": "https://fortiguard.com/psirt/FG-IR-23-203"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "psirt@fortinet.com", "type": "Secondary"}]}