CVE-2022-26122 FortiGate versions prior to 6.4.274 and FortiClient, FortiMail may have insufficient data authenticity verification, which may allow attackers to bypass the AV engine.

An attacker can exploit the lack of AV engine verification of data authenticity vulnerability [CWE-345] via MIME email attachment to inject malicious HTML content or to perform malicious actions on the system.

Incorrect validation of data formats vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate certificate validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Inadequate input validation vulnerability [CWE-20] in

References !

1. CWE-345: MIME email attachment to inject malicious HTML content
2. CWE-20: Incorrect validation of data formats vulnerability
3. CWE-20: Inadequate input validation vulnerability
4. CWE-20: Inadequate input validation vulnerability
5. CWE-20: Inadequate input validation vulnerability
6. CWE-20: Inadequate input validation vulnerability

References -

CWE-20: Incorrect validation of data formats vulnerability [CWE-20]
CWE-345: CVE-2022-26122: An attacker can exploit the lack of AV engine verification of data authenticity vulnerability [CWE-345] via MIME email attachment to inject malicious HTML content or to perform malicious actions on the system.
CWE-20: Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.
CWE-20: Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.
CWE-20: Inadequate input validation vulnerability [CWE-20] in FortiGate and FortiManager web interfaces may allow remote attacker to bypass authentication via crafted request.

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/04/2022 13:20:00 UTC

References

• https://fortiguard.com/psirt/FG-IR-22-074
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26122