Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-13380Cross-site Scripting in Fortinet Fortios

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.1MEDIUMNVD
CNA4.7
EPSS
34.4%
top 3.00%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Fortinet FortiosFortinet FortiproxyFortinet Fortios AND Fortiproxy
Timeline
PublishedJun 4
Latest updateMay 24

Description

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5fortinet/fortinet_fortios_and_fortiproxyFortiGate 6.0.0 through 6.0.4, 5.6.0 through 5.6.7, 5.4.0 through 5.4.12, 5.2 and earlier and FortiProxy versions 2.0.0, 1.2.8 and earlier
NVDfortinet/fortios5.4.05.4.12+3
NVDfortinet/fortiproxy1.2.8+1

🔴Vulnerability Details

2
GHSA
GHSA-p6vg-vj3x-m483: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 62022-05-24
CVEList
CVE-2018-13380: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 62019-06-04

💥Exploits & PoCs

1
Nuclei
Fortinet FortiOS - Cross-Site Scripting

📋Vendor Advisories

2
Fortinet
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and...2019-06-04
Fortinet
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and...2019-06-04

🕵️Threat Intelligence

1
Tenable
CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild2019-08-27
CVE-2018-13380 — Cross-site Scripting in Fortinet | cvebase