CVE-2018-13383: Fortinet FortiOS and FortiProxy Out-of-bounds Write
First published: Wed May 29 2019(Updated: )
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
Credit: psirt@fortinet.com psirt@fortinet.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fortinet FortiProxy | <=1.2.8 | |
| Fortinet FortiProxy | =2.0.0 | |
| Fortinet FortiOS | <=5.2.14 | |
| Fortinet FortiOS | >=5.4.0<=5.4.12 | |
| Fortinet FortiOS | >=5.6.0<=5.6.10 | |
| Fortinet FortiOS | >=6.0.0<=6.0.4 | |
| Fortinet FortiOS and FortiProxy | ||
| Fortinet FortiProxy | <1.2.9 | |
| Fortinet FortiOS | >=5.2.0<5.2.15 | |
| Fortinet FortiOS | >=5.4.0<5.4.13 | |
| Fortinet FortiOS | >=5.6.0<5.6.11 | |
| Fortinet FortiOS | >=6.0.0<6.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Fortinet vulnerability?
The vulnerability ID for this Fortinet vulnerability is CVE-2018-13383.
What is the severity of CVE-2018-13383?
CVE-2018-13383 has a severity rating of 6.5 (medium).
Which software versions are affected by CVE-2018-13383?
CVE-2018-13383 affects Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier, as well as FortiProxy 2.0.0, 1.2.8 and earlier.
What is the impact of CVE-2018-13383?
CVE-2018-13383 may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javas…
Where can I find more information about CVE-2018-13383?
You can find more information about CVE-2018-13383 on the Fortinet FortiGuard advisory pages: [FG-IR-18-388](https://fortiguard.com/advisory/FG-IR-18-388) and [FG-IR-20-229](https://fortiguard.com/advisory/FG-IR-20-229).
- agent/type
- agent/softwarecombine
- agent/description
- agent/title
- agent/weakness
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/event
- agent/first-publish-date
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- vendor/fortinet
- canonical/fortinet fortiproxy
- version/fortinet fortiproxy/1.2.8
- version/fortinet fortiproxy/2.0.0
- canonical/fortinet fortios
- version/fortinet fortios/5.2.14
- version/fortinet fortios/5.4.0
- version/fortinet fortios/5.4.12
- version/fortinet fortios/5.6.0
- version/fortinet fortios/5.6.10
- version/fortinet fortios/6.0.0
- version/fortinet fortios/6.0.4
- canonical/fortinet fortios and fortiproxy
- version/fortinet fortios/5.2.0