PSIRT Advisories

FortiSOAR - Server-Side Template Injection in Playbook component

Summary

An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.

Affected Products

FortiSOAR version 7.2.0
FortiSOAR version 7.0.0 through 7.0.3
FortiSOAR version 6.4.0 through 6.4.4

Solutions

Please upgrade to FortiSOAR version 7.2.1 or above