Server-side Template Injection in playbook execution
Summary
An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.
Version | Affected | Solution |
---|---|---|
FortiSOAR 7.4 | Not affected | Not Applicable |
FortiSOAR 7.3 | 7.3.0 through 7.3.1 | Upgrade to 7.3.2 or above |
Acknowledgement
Internally discovered and reported by Boumediene Kaddour from System and Sales TeamTimeline
2023-04-04: Initial publication
2023-04-12: Update Solutions and Acknowledgement