CVE-2018-13382

2019-06-0400:00:00

attackerkb.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

8.2

Confidence

High

EPSS

0.666

Percentile

98.0%

JSON

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

Recent assessments:

wwoolwine-r7 at May 14, 2020 5:27pm UTC reported:

This doesn’t seem like that hard of an exploit to pull off, but the configuration must be local without 2fa. Seems like a bit of an edge case. Could see automated scanning + bitcoin or some such implant.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3