CVE-2018-9186 : A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in ver

A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 "CSRF validation failure" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.

Published 2018-05-31 22:29:00

Updated 2019-04-22 18:32:14

Source Fortinet, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)

Products affected by CVE-2018-9186

Fortinet » Fortiauthenticator
Versions from including (>=) 4.0.0 and before (<) 5.3.0
cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-9186

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-9186

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2018-9186

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-9186

https://fortiguard.com/advisory/FG-IR-18-059

Potential XSS in "CSRF validation failure" page due to lack of referer sanitization | FortiGuard
Vendor Advisory
http://www.securityfocus.com/bid/104371

Fortinet FortiAuthenticator CVE-2018-9186 Cross Site Scripting Vulnerability
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2018-9186

Products affected by CVE-2018-9186

Exploit prediction scoring system (EPSS) score for CVE-2018-9186

CVSS scores for CVE-2018-9186

CWE ids for CVE-2018-9186

References for CVE-2018-9186