Information disclosure in content hub

Summary

An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses.

Version Affected Solution
FortiSOAR 7.3 7.3.0 Upgrade to 7.3.1 or above
FortiSOAR 7.2 7.2 all versions Migrate to a fixed release
FortiSOAR 7.0 7.0 all versions Migrate to a fixed release

Acknowledgement

Fortinet is pleased to thank James Cato from New Zealand Police for reporting this vulnerability under responsible disclosure.

Timeline

2024-05-14: Initial publication