CVE-2018-13382

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.4.1 through 5.4.10 FortiOS versions 5.6.0 through 5.6.8 FortiOS versions 6.0.0 through 6.0.4 FortiProxy versions 1.0.0 through 1.0.7 FortiProxy versions 1.1.0 through 1.1.6 FortiProxy versions 1.2.0 through 1.2.8 FortiProxy version 2.0.0

Description The issue is related to improper authorization in the SSL VPN web portal of FortiOS, allowing an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests. This can be done by exploiting errors in the authorization mechanism on the web portal.

Recommendations For FortiOS versions 5.4.1 through 5.4.10, update to a version that includes the fix for this issue. For FortiOS versions 5.6.0 through 5.6.8, update to a version that includes the fix for this issue. For FortiOS versions 6.0.0 through 6.0.4, update to a version that includes the fix for this issue. For FortiProxy versions 1.0.0 through 1.0.7, update to a version that includes the fix for this issue. For FortiProxy versions 1.1.0 through 1.1.6, update to a version that includes the fix for this issue. For FortiProxy versions 1.2.0 through 1.2.8, update to a version that includes the fix for this issue. For FortiProxy version 2.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SSL VPN web portal to minimize the risk of exploitation.