FortiSOAR - Server-side Template Injection in playbook execution
An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.
Affected ProductsFortiSOAR version 7.3.0 through 7.3.1
SolutionsPlease upgrade to FortiSOAR version 7.4.0 or above
Please upgrade to FortiSOAR version 7.3.2 or above
AcknowledgementInternally discovered and reported by Boumediene Kaddour from System and Sales Team
2023-04-04: Initial publication
2023-04-12: Update Solutions and Acknowledgement