Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2018-13382

Disclosure Date: June 04, 2019
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.

Description

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.

Add Assessment

1
Ratings
Technical Analysis

This doesn’t seem like that hard of an exploit to pull off, but the configuration must be local without 2fa. Seems like a bit of an edge case. Could see automated scanning + bitcoin or some such implant.

General Information

Vendors

  • Fortinet

Products

  • Fortinet FortiOS

Additional Info

Technical Analysis