FortiSOAR - Server-side Template Injection in playbook execution

Summary

An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

Version Affected Solution
FortiSOAR 7.4 Not affected Not Applicable
FortiSOAR 7.3 7.3.0 through 7.3.1 Upgrade to 7.3.2 or above

Acknowledgement

Internally discovered and reported by Boumediene Kaddour from System and Sales Team

Timeline

2023-04-04: Initial publication

2023-04-12: Update Solutions and Acknowledgement