Main Vulnerability Database SB2019052702

SB2019052702 - Authentication bypass in FortiOS SSL VPN

Published: May 27, 2019

Security Bulletin ID SB2019052702

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authorization (CVE-ID: CVE-2018-13382)

The vulnerability allows a remote attacker to bypass authorization.

The vulnerability exists due to unspecified error within the SSL VPN web portal when processing HTTP requests. A remote non-authenticated attacker can send a specially crafted HTTP request to the SSL VPN web portal and change password for arbitrary account.

Successful exploitation of the vulnerability may allow an attacker to login to the SSL VPN web portal with a new password and gain unauthorized access to network resources.

Remediation

Install update from vendor's website.

References

https://fortiguard.com/psirt/FG-IR-18-389