{"cve":{"cve_id":"CVE-2018-13382","is_kev":true,"kev_date_added":"2022-01-10","kev_vendor_project":"Fortinet","kev_product":"FortiOS and FortiProxy","kev_vulnerability_name":"Fortinet FortiOS and FortiProxy Improper Authorization","kev_short_description":"An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.","kev_required_action":"Apply updates per vendor instructions.","kev_due_date":"2022-07-10","kev_known_ransomware":true,"kev_notes":"https://nvd.nist.gov/vuln/detail/CVE-2018-13382","kev_cwes":["CWE-285"],"epss_score":0.81691,"epss_percentile":0.99596,"epss_as_of":"2026-06-23","description":"An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests","published_at":"2019-06-04T20:33:53Z","last_modified_at":null,"cvss_v3_score":9.1,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":true,"ssvc_technical_impact":"total","cwes":["CWE-863"],"nvd_references":["https://fortiguard.com/advisory/FG-IR-18-389","https://www.fortiguard.com/psirt/FG-IR-20-231"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-28T23:10:45.874027Z"},"effective_severity":"CRITICAL","badges":["kev","ransomware","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"fortinet","vendor_name":"fortinet","product_slug":"fortinet-fortios-fortiproxy","product_name":"Fortinet FortiOS, FortiProxy","version_start":"FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8,  1.1.0 to 1.1.6, 1.0.0 to 1.0.7","version_start_inclusive":true,"version_end":"FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8,  1.1.0 to 1.1.6, 1.0.0 to 1.0.7","version_end_inclusive":true,"cpe23_uri":"cve5:fortinet:fortinet-fortios-fortiproxy:FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8,  1.1.0 to 1.1.6, 1.0.0 to 1.0.7:FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8, 5.4.1 to 5.4.10, FortiProxy 2.0.0, 1.2.0 to 1.2.8,  1.1.0 to 1.1.6, 1.0.0 to 1.0.7"}],"exploit_refs":[],"news":[],"references":[{"url":"https://fortiguard.com/advisory/FG-IR-18-389","source_type":"MISC","tags":[]},{"url":"https://www.fortiguard.com/psirt/FG-IR-20-231","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2019-06-04T20:33:53Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2022-01-10T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"ssvc_changed","at":"2026-06-24T00:31:12.162116Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:12.162116Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:12.162116Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:12.162116Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:12.162116Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:12.162116Z","label":"CVSS score revised","source":"vulnrichment"}]}