Main Vulnerability Database Exploits ID:4860 - Exploit for Improper Authorization in FortiOS - CVE-2018-13382

ID:4860 - Exploit for Improper Authorization in FortiOS - CVE-2018-13382

Published: November 20, 2020

Vulnerability identifier: #VU18607

Vulnerability risk: High

CVE-ID: CVE-2018-13382

CWE-ID: CWE-285

Exploitation vector: Remote access

Vulnerable software:
FortiOS

Link to public exploit:

https://www.exploit-db.com/exploits/49074/

Vulnerability description

The vulnerability allows a remote attacker to bypass authorization.

The vulnerability exists due to unspecified error within the SSL VPN web portal when processing HTTP requests. A remote non-authenticated attacker can send a specially crafted HTTP request to the SSL VPN web portal and change password for arbitrary account.

Successful exploitation of the vulnerability may allow an attacker to login to the SSL VPN web portal with a new password and gain unauthorized access to network resources.

Remediation

Install updates from vendor's website.

As a workaround, the vendor recommends disabling the SSL-VPN web portal service:

	 config vpn ssl settings

	 unset source-interface

	 end

ID:4860 - Exploit for Improper Authorization in FortiOS - CVE-2018-13382

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human