CVE-2021-36166
First published: Tue Mar 01 2022(Updated: )
An improper authentication vulnerability in FortiMail before 7.0.1 may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties.
Credit: psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiMail | <=5.4.12 | |
| Fortinet FortiMail | >=6.0.0<6.0.12 | |
| Fortinet FortiMail | >=6.2.0<6.2.8 | |
| Fortinet FortiMail | >=6.4.0<6.4.6 | |
| Fortinet FortiMail | =7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-36166?
CVE-2021-36166 is an improper authentication vulnerability in FortiMail before 7.0.1 that allows a remote attacker to guess an administrative account's authentication token.
How can a remote attacker exploit CVE-2021-36166?
A remote attacker can exploit CVE-2021-36166 by observing certain system properties to efficiently guess an administrative account's authentication token.
Which versions of FortiMail are affected by CVE-2021-36166?
FortiMail versions 5.4.12, 6.0.x (up to and excluding 6.0.12), 6.2.x (up to and excluding 6.2.8), 6.4.x (up to and excluding 6.4.6), and 7.0.0 are affected by CVE-2021-36166.
What is the severity of CVE-2021-36166?
CVE-2021-36166 has a severity rating of critical with a CVSS score of 9.8.
How do I fix CVE-2021-36166?
To fix CVE-2021-36166, it is recommended to upgrade FortiMail to version 7.0.1 or later.
- collector/nvd-index
- agent/weakness
- agent/type
- vendor/fortinet
- canonical/fortinet fortimail
- version/fortinet fortimail/5.4.12
- version/fortinet fortimail/6.0.0
- version/fortinet fortimail/6.2.0
- version/fortinet fortimail/6.4.0
- version/fortinet fortimail/7.0.0