CVE-2018-13375 — Cross-site Scripting in Fortinet Fortianalyzer

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 46.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager

Timeline

PublishedMay 28

Latest updateMay 24

Description

An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and FortiManager 5.6.0 and below allows an attacker to send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager (with FortiAnalyzer feature enabled).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDfortinet/fortianalyzer5.6.0

▶CVEListV5fortinet/fortianalyzerFortiAnalyzer 5.6.0 and below

▶NVDfortinet/fortimanager5.6.0

▶CVEListV5fortinet/fortimanagerFortiManager 5.6.0 and below

🔴Vulnerability Details

GHSA

GHSA-ffmh-82q7-w4gf: An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5↗2022-05-24

▶

CVEList

CVE-2018-13375: An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5↗2019-05-28

▶

📋Vendor Advisories

Fortinet

An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and FortiManager 5.6.0...↗2019-05-28

▶