CVE-2018-13380

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 5.2 and below Fortinet FortiOS versions 5.4.0 through 5.4.12 Fortinet FortiOS versions 5.6.0 through 5.6.7 Fortinet FortiOS versions 6.0.0 through 6.0.4 Fortinet FortiProxy version 1.2.8 and below Fortinet FortiProxy version 2.0.0

Description The issue exists due to the failure to protect the structure of web pages in the SSL-VPN portal of FortiOS, allowing an attacker to conduct cross-site scripting attacks. This can enable a remote attacker to execute unauthorized malicious script code via the error or message handling parameters. The vulnerability may be exploited to perform a Cross-site Scripting (XSS) attack by failing to sanitize the error or message handling parameters in the SSL VPN web portal.

Recommendations For Fortinet FortiOS versions 5.2 and below, update to a version above 5.2 to resolve the issue. For Fortinet FortiOS versions 5.4.0 through 5.4.12, update to a version above 5.4.12 to resolve the issue. For Fortinet FortiOS versions 5.6.0 through 5.6.7, update to a version above 5.6.7 to resolve the issue. For Fortinet FortiOS versions 6.0.0 through 6.0.4, update to a version above 6.0.4 to resolve the issue. For Fortinet FortiProxy version 1.2.8 and below, update to a version above 1.2.8 to resolve the issue. For Fortinet FortiProxy version 2.0.0, update to a version above 2.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the error or message handling parameters in the SSL VPN web portal to minimize the risk of exploitation.