Cyber Resilience

CVE-2018-13383

MediumCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 29 May 2019

Published
29 May 2019
Modified
24 October 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0176 83.0th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-13383 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Fortinet Fortios. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 17.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a heap buffer overflow, tracked as CWE-787, affecting the SSL VPN web portal component in Fortinet FortiOS versions 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, and 5.2.14 and earlier, as well as FortiProxy versions 2.0.0, 1.2.8 and earlier. It arises from a failure to properly handle javascript href data when proxying webpages and is rated 4.3 on CVSS 3.1 with impacts limited to availability.

An authenticated attacker with network access can trigger the flaw to cause termination of the SSL VPN web service for logged-in users, producing a denial-of-service condition without user interaction required.

The issue appears in FortiGuard advisories FG-IR-18-388 and FG-IR-20-229, and it is catalogued by CISA among vulnerabilities observed in active exploitation.

EU & UK References

Vulnerability details

A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for…

more

logged in users due to a failure to properly handle javascript href data when proxying webpages.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
2.0.0 · ≤ 1.2.9
fortinet
fortios
5.2.0 — 5.2.15 · 5.4.0 — 5.4.13 · 5.6.0 — 5.6.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the heap buffer overflow flaw in the SSL VPN web portal component.

prevent

Mandates input validation on javascript href data processed by the SSL VPN proxy, eliminating the root cause of the overflow.

prevent

Requires memory-protection techniques that can limit the impact of heap overflows and resulting service termination.

References