{"containers":{"cna":{"affected":[{"product":"Fortinet FortiOS, FortiProxy","vendor":"Fortinet","versions":[{"status":"affected","version":"FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8,  1.1.0 to 1.1.6, 1.0.0 to 1.0.7"}]}],"datePublic":"2019-05-24T00:00:00.000Z","descriptions":[{"lang":"en","value":"An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"description":"Improper Access Control","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2021-06-03T10:28:48.000Z","orgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","shortName":"fortinet"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://fortiguard.com/advisory/FG-IR-18-389"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.fortiguard.com/psirt/FG-IR-20-231"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"psirt@fortinet.com","ID":"CVE-2018-13382","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Fortinet FortiOS, FortiProxy","version":{"version_data":[{"version_value":"FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8,  1.1.0 to 1.1.6, 1.0.0 to 1.0.7"}]}}]},"vendor_name":"Fortinet"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests"}]},"impact":{"cvss":{"attackComplexity":"Low","attackVector":"Network","availabilityImpact":"None","baseScore":8.9,"baseSeverity":"High","confidentialityImpact":"High","integrityImpact":"High","privilegesRequired":"None","scope":"Unchanged","userInteraction":"None","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Access Control"}]}]},"references":{"reference_data":[{"name":"https://fortiguard.com/advisory/FG-IR-18-389","refsource":"CONFIRM","url":"https://fortiguard.com/advisory/FG-IR-18-389"},{"name":"https://www.fortiguard.com/psirt/FG-IR-20-231","refsource":"CONFIRM","url":"https://www.fortiguard.com/psirt/FG-IR-20-231"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T09:00:35.087Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://fortiguard.com/advisory/FG-IR-18-389"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.fortiguard.com/psirt/FG-IR-20-231"}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2018-13382","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-10-23T13:31:11.882776Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2022-01-10","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382"}}}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-13382","tags":["government-resource"]}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-863","description":"CWE-863 Incorrect Authorization"}]}],"timeline":[{"time":"2022-01-10T00:00:00.000Z","lang":"en","value":"CVE-2018-13382 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T23:45:35.394Z"}}]},"cveMetadata":{"assignerOrgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","assignerShortName":"fortinet","cveId":"CVE-2018-13382","datePublished":"2019-06-04T20:33:53.000Z","dateReserved":"2018-07-06T00:00:00.000Z","dateUpdated":"2025-10-21T23:45:35.394Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}