5
CVSSv2

CVE-2018-13382

Published: 04/06/2019 Updated: 11/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 under SSL VPN web portal allows an unauthenticated malicious user to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.

Vulnerability Trend

Affected Products

Vendor Product Versions
FortinetFortios5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4

Github Repositories

CVE-2018-13382 CVE-2018-13382

Do Some Magic :) Great research work by Devcore Security Team (@mehqq_ and @orange_8361) Attacking SSL VPN CVE-2018-13379: Pre-auth arbitrary file reading CVE-2018-13382: The magic backdoor

Recent Articles

APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn
Threatpost • Elizabeth Montalbano • 08 Oct 2019

State-sponsored advanced persistent threat (APT) groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials.
The National Security Agency (NSA) issued a Cybersecurity Advisory Monday about the threats and offered mitigation suggestions, warning that multiple APT actors have weaponized three critical vulnerabilities first published in August–C...