⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-07-10.
CVE-2018-13383 — Out-of-bounds Write in Fortinet Fortios
Severity
6.5MEDIUMNVD
CNA4.3VulnCheck4.3
EPSS
1.3%
top 20.32%
CISA KEV
KEVRansomware
Added 2022-01-10
Due 2022-07-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMay 29
KEV addedJan 10
Latest updateMay 24
KEV dueJul 10
CISA Required Action: Apply updates per vendor instructions.
Description
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5fortinet/fortinet_fortios_and_fortiproxyFortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier, FortiProxy 2.0.0, 1.2.8 and earlier