FortiSOAR - Path traversal vulnerabilities in the web API


Multiple relative path traversal vulnerabilities [CWE-23] in the web API of FortiSOAR may allow an authenticated attacker to write in the underlying filesystem with nginx permissions via crafted HTTP requests.

Version Affected Solution
FortiSOAR 7.2 7.2.0 Upgrade to 7.2.1 or above
FortiSOAR 7.0 7.0.0 through 7.0.2 Upgrade to 7.0.3 or above


Fortinet is pleased to thank security researchers Ryan Catterall and OJ Reeves of Beyond Binary for discovering and reporting this vulnerability under responsible disclosure.