I am happy to share vulnerability findings on Fortinet FortiMail, focusing on versions v7.0.1, v7.0.0, v6.4.5 & below, v6.3.7 & below, and v6.0.11 & below. During this assessment, I was able to identify an unpatched XSS (Cross-Site Scripting) vulnerability, tagged as CVE-2021-43062. The vulnerability allowed arbitrary code execution via a specially crafted HTTP GET request to the FortiGuard URI protection service.
| Product | Fortinet FortiMail |
|---|---|
| Vendor | Fortinet |
| Severity | Medium |
| Affected Versions | v7.0.1, v7.0.0, v6.4.5 & below, v6.3.7 & below, v6.0.11 & below |
| Tested Versions | v7.0.1, v7.0.0, v6.4.5 |
| CVE Identifier | CVE-2021-43062 |
| CVE Description | Unpatched XSS vulnerability in Fortinet FortiMail v7.0.1, v7.0.0, v6.4.5 & below, v6.3.7 & below, v6.0.11 & below enables code execution via crafted HTTP GET requests to FortiGuard URI protection service. |
| CWE Classification(s) | CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) |
| CAPEC Classification(s) | CAPEC-86 (Cross-Site Scripting) |
- CVSS Base Score: 6.1 (MEDIUM)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network | vulnerability can be exploited remotely through a network connection. |
| Attack Complexity (AC) | Low | Exploiting the vulnerability requires minimal conditions. |
| Privileges Required (PR) | None | attacker does not require any privileges to exploit the vulnerability. |
| User Interaction (UI) | Required | exploitation involves some interaction from the user or victim. |
| Scope (S) | Changed | vulnerability impacts the confidentiality of the system |
| Confidentiality (C) | Low | vulnerability has a limited impact on confidentiality. |
| Integrity (I) | Low | vulnerability has a limited impact on integrity. |
| Availability (A) | None | vulnerability has no impact on availability |
As part of the assessment, I've developed a Proof of Concept (PoC) to demonstrate the presence and severity of XSS vulnerabilities. Please find the following URL: https://mail2.bssn.go.id/%3Cscript%3Ealert(%27XSS%27)%3C/script%3E
PoC Impact: Running the above URL will trigger a JavaScript alert box, showing the text "XSS". This indicates successful exploitation of the vulnerability.
To mitigate the identified vulnerability and enhance the security posture of Fortinet FortiMail, we recommend implementing the following measures:
- Ensure FortiMail is updated to the latest version that includes a fix for this vulnerability.
- Implement robust input validation mechanisms to prevent XSS attacks.
- Regularly monitor inbound traffic to detect and respond promptly to potential attack attempts.
- Conduct security training for development teams and administrators to promote awareness of best security practices.
The assessment utilized the following tools:
- assetfinder: For subdomain enumeration.
- httpx: For endpoint scanning and identification of open web services.
- nuclei: For security scanning and vulnerability detection in web applications.
- exploitdb: As a reference for relevant exploitation techniques.
Successful identification and exploitation of XSS vulnerabilities in Fortinet FortiMail emphasizes the importance of a thorough vulnerability assessment. By leveraging asset locators, httpx, nuclei, and exploitdb, I effectively identified and demonstrated the impact of vulnerabilities. Implementing the recommended steps will strengthen the overall security posture and reduce potential data integrity risks.
If you have any further inquiries or require additional assistance, please do not hesitate to contact our dedicated security team.
Sincerely,
Eno Leriand | Security research