virus logo PSIRT

Server-side Template Injection in playbook execution

Summary

An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

Version Affected Solution
FortiSOAR on-premise 7.4 Not affected Not Applicable
FortiSOAR on-premise 7.3 7.3.0 through 7.3.1 Upgrade to 7.3.2 or above
FortiSOAR on-premise 7.2 Not affected Not Applicable
FortiSOAR on-premise 7.0 Not affected Not Applicable
FortiSOAR on-premise 6.4 Not affected Not Applicable

Acknowledgement

Internally discovered and reported by Boumediene Kaddour from System and Sales Team

Timeline

2023-04-11: Initial publication
2023-04-12: Update Solutions and Acknowledgement
IR Number FG-IR-23-051
Published Date Apr 11, 2023
Updated Date Apr 12, 2023
Severity High
CVSSv3 Score 7.2
Impact Execute unauthorized code or commands
CVE ID
Download

CVRF

CSAF