fortinet fortios CVE-2018-13382 vulnerability in Fortinet Products
Published on June 4, 2019

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Fortinet FortiOS and FortiProxy Improper Authorization vulnerability is part of CISA's list of Known Exploited Vulnerabilities. An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.

The following remediation steps are recommended / required by July 10, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2018-13382 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2018-13382 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2018-13382

You can be notified by stack.watch whenever vulnerabilities like CVE-2018-13382 are published in these products:

 
 

What versions are vulnerable to CVE-2018-13382?