cbcvebase.
CVE-2018-13380
published 2019-06-04

CVE-2018-13380: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0…

PriorityP355medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
62.47%
99.1th percentile
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling parameters.

Affected

10 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortinet_fortios_and_fortiproxy
fortinetfortios<= 5.2
fortinetfortios
fortinetfortios5.4.0 – 5.4.12
fortinetfortios5.6.0 – 5.6.7
fortinetfortios6.0.0 – 6.0.4
fortinetfortiproxy<= 1.2.8
fortinetfortiproxy
fortinetfortiproxy

Detection & IOCsextracted from sources · hover to see the quote

url/message?title=x&msg=%26%23%3Csvg/onload=alert(1337)%3E%3B
url/remote/error?errmsg=ABABAB--%3E%3Cscript%3Ealert(1337)%3C/script%3E
path/remote/login
  • Probe the SSL VPN web portal's /message endpoint with XSS payload in the 'msg' parameter; a vulnerable host will reflect the payload (e.g., <svg/onload=...>) in the HTTP 200 response body.
  • Probe the SSL VPN web portal's /remote/error endpoint with XSS payload in the 'errmsg' parameter; a vulnerable host will reflect <script>alert(1337)</script> in the HTTP 200 response body.
  • Match response body for reflected XSS strings and confirm HTTP 200 status; exclude JSON responses (Content-Type: application/json) to reduce false positives.
  • Use FOFA to identify exposed FortiOS SSL VPN portals by searching for body containing /remote/login or icon_hash=945408572.
  • ·The vulnerability affects the SSL VPN web portal's error and message handling parameters specifically; exploitation requires user interaction (UI:R) as it is a reflected XSS.
  • ·Affected scope spans FortiOS 6.0.0–6.0.4, 5.6.0–5.6.7, 5.4.0–5.4.12, 5.2 and below, and FortiProxy 2.0.0 and 1.2.8 and below.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.