FortiAIOps - CSV Injection in export device inventory feature

Summary

An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiAIOps may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV reports.

Version Affected Solution
FortiAIOps 2.0 2.0.0 Upgrade to 2.0.1 or above

Acknowledgement

Internally discovered and reported by Shree Rawal of Fortinet PSIRT team.

Timeline

2024-07-09: Initial publication