CVE-2023-33302

Published: Mar 31, 2025Modified: Jul 23, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiMail webmail and administrative interface version 6.4.0 through 6.4.4 and before 6.2.6 and FortiNDR administrative interface version 7.2.0 and before 7.1.0 allows an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests.

Affected (5)

Products: Fortinet: Fortimail, Fortindr

Fortinet

2 products

Fortimail

Fortindr

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortimail	From 5.4.0 to 5.4.12
Fortinet Fortimail	From 6.0.0 to 6.0.11
Fortinet Fortimail	From 6.2.0 to 6.2.7
Fortinet Fortimail	From 6.4.0 to 6.4.5

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortindr	From 1.1.0 to 7.2.1

Related CWEs

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-21-023

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.