CyberSec.Space Logo
Back to CVE Browser

CVE-2018-13382

Known Exploited (CISA KEV)CRITICAL
9.1
CVSS Severity Score
EPSS Score62.6050%
EPSS Percentile94.93th
PublishedJun 4, 2019
Last ModifiedOct 24, 2025

Vulnerability Description

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

Affected Platforms (CPE)

πŸ“¦
Fortinet

Fortiproxy

< 1.2.9
πŸ“¦
Fortinet

Fortiproxy

= 2.0.0
πŸ’»
Fortinet

Fortios

>= 5.4.1 and < 5.4.11
πŸ’»
Fortinet

Fortios

>= 5.6.0 and < 5.6.9
πŸ’»
Fortinet

Fortios

>= 6.0.0 and < 6.0.5

References & Advisories

πŸ”— https://fortiguard.com/advisory/FG-IR-18-389
πŸ”— https://www.fortiguard.com/psirt/FG-IR-20-231
πŸ”— https://fortiguard.com/advisory/FG-IR-18-389
πŸ”— https://www.fortiguard.com/psirt/FG-IR-20-231
πŸ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382

Related Vulnerabilities

CVE-2026-248589.8

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 ...

CVE-2025-597189.8

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7....

CVE-2018-133799.1

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6...

CVE-2021-261107.8

An improper access control vulnerability [CWE-284] in FortiOS autod daemon 7.0.0, 6.4.6 and below, 6.2.9 and below, 6.0.12 and bel...