{"api_version":"1","generated_at":"2026-05-06T21:50:25+00:00","cve":"CVE-2018-9186","urls":{"html":"https://cve.report/CVE-2018-9186","api":"https://cve.report/api/cve/CVE-2018-9186.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-9186","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-9186"},"summary":{"title":"CVE-2018-9186","description":"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.","state":"PUBLIC","assigner":"psirt@fortinet.com","published_at":"2018-05-31 22:29:00","updated_at":"2019-04-22 18:32:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://fortiguard.com/advisory/FG-IR-18-059","name":"https://fortiguard.com/advisory/FG-IR-18-059","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Potential XSS in \"CSRF validation failure\" page due to lack of referer sanitization | FortiGuard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/104371","name":"104371","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Malformed Request","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-9186","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9186","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"9186","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiauthenticator","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"9186","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiauthenticator","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"psirt@fortinet.com","DATE_PUBLIC":"2018-05-29T00:00:00","ID":"CVE-2018-9186","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"FortiAuthenticator","version":{"version_data":[{"version_value":"below 5.3.0 versions"}]}}]},"vendor_name":"Fortinet, Inc."}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Execute unauthorized code or commands"}]}]},"references":{"reference_data":[{"name":"https://fortiguard.com/advisory/FG-IR-18-059","refsource":"CONFIRM","url":"https://fortiguard.com/advisory/FG-IR-18-059"},{"name":"104371","refsource":"BID","url":"http://www.securityfocus.com/bid/104371"}]}},"nvd":{"publishedDate":"2018-05-31 22:29:00","lastModifiedDate":"2019-04-22 18:32:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"5.3.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"9186","Ordinal":"125580","Title":"CVE-2018-9186","CVE":"CVE-2018-9186","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"9186","Ordinal":"1","NoteData":"A cross-site scripting (XSS) vulnerability in Fortinet FortiAuthenticator in versions 4.0.0 to before 5.3.0 \"CSRF validation failure\" page allows attacker to execute unauthorized script code via inject malicious scripts in HTTP referer header.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"9186","Ordinal":"2","NoteData":"2018-05-31","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"9186","Ordinal":"3","NoteData":"2019-03-21","Type":"Other","Title":"Modified"}]}}}