Vulnerabilities (CVE)

Filtered by vendor Fortinet Subscribe
Filtered by product Fortisoar
Total 21 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-48891 1 Fortinet 1 Fortisoar 2025-10-15 N/A 7.0 HIGH
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR 7.6.0 through 7.6.1, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an attacker who has already obtained a non-login low privileged shell access (via another hypothetical vulnerability) to perform a local privilege escalation via crafted commands.
CVE-2025-32932 1 Fortinet 1 Fortisoar 2025-08-15 N/A 6.5 MEDIUM
An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR version 7.6.1 and below, version 7.5.1 and below, 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions WEB UI may allow an authenticated remote attacker to perform an XSS attack via stored malicious service requests
CVE-2024-48892 1 Fortinet 1 Fortisoar 2025-08-14 N/A 6.8 MEDIUM
A relative path traversal vulnerability [CWE-23] in FortiSOAR 7.6.0, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack.
CVE-2024-21760 1 Fortinet 1 Fortisoar 2025-07-24 N/A 8.4 HIGH
An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet.
CVE-2024-47572 1 Fortinet 1 Fortisoar 2025-07-16 N/A 9.0 CRITICAL
An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file
CVE-2022-23439 1 Fortinet 14 Fortiadc, Fortiauthenticator, Fortiddos and 11 more 2025-02-12 N/A 4.7 MEDIUM
A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.0 and before 7.0.5, FortiADC version 7.0.0 through 7.0.1 and before 6.2.3 , FortiDDoS before version 5.5.1, FortiDDoS-F before version 6.3.3, FortiTester before version 7.2.1, FortiSOAR before version 7.2.2 and FortiSwitch before version 6.3.3 allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver
CVE-2024-48893 1 Fortinet 1 Fortisoar 2025-02-03 N/A 6.8 MEDIUM
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook.
CVE-2024-36510 1 Fortinet 2 Forticlientems, Fortisoar 2025-01-31 N/A 5.3 MEDIUM
An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to enumerate valid users via observing login request responses.
CVE-2024-45327 1 Fortinet 1 Fortisoar 2025-01-21 N/A 7.5 HIGH
An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
CVE-2023-23775 1 Fortinet 1 Fortisoar 2025-01-21 N/A 6.5 MEDIUM
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerabilities [CWE-89] in FortiSOAR 7.2.0 and before 7.0.3 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.
CVE-2024-31493 1 Fortinet 1 Fortisoar 2025-01-21 N/A 6.5 MEDIUM
An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3.0, version 7.2.2 and below, version 7.0.3 and below may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses.
CVE-2023-27995 1 Fortinet 1 Fortisoar 2024-11-21 N/A 7.2 HIGH
A improper neutralization of special elements used in a template engine vulnerability in Fortinet FortiSOAR 7.3.0 through 7.3.1 allows an authenticated, remote attacker to execute arbitrary code via a crafted payload.
CVE-2023-25605 1 Fortinet 1 Fortisoar 2024-11-21 N/A 7.5 HIGH
A improper access control vulnerability in Fortinet FortiSOAR 7.3.0 - 7.3.1 allows an attacker authenticated on the administrative interface to perform unauthorized actions via crafted HTTP requests.
CVE-2022-42473 1 Fortinet 1 Fortisoar 2024-11-21 N/A 5.3 MEDIUM
A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and 7.2.0 allows an attacker to disclose information via logging into the database using a privileged account without a password.
CVE-2022-38379 1 Fortinet 1 Fortisoar 2024-11-21 N/A 3.5 LOW
Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allow an authenticated attacker to inject HTML tags via input fields of various components within FortiSOAR.
CVE-2022-35847 1 Fortinet 1 Fortisoar 2024-11-21 N/A 6.3 MEDIUM
An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR management interface 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.4 may allow a remote and authenticated attacker to execute arbitrary code via a crafted payload.
CVE-2022-30298 1 Fortinet 1 Fortisoar 2024-11-21 N/A 7.0 HIGH
An improper privilege management vulnerability [CWE-269] in Fortinet FortiSOAR before 7.2.1 allows a GUI user who has already found a way to modify system files (via another, unrelated and hypothetical exploit) to execute arbitrary Python commands as root.
CVE-2022-29062 1 Fortinet 1 Fortisoar 2024-11-21 N/A 6.3 MEDIUM
Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to write to the underlying filesystem with nginx permissions via crafted HTTP requests.
CVE-2022-29061 1 Fortinet 1 Fortisoar 2024-11-21 N/A 7.2 HIGH
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSOAR before 7.2.1 allows an authenticated attacker to execute unauthorized code or commands via crafted HTTP GET requests.
CVE-2022-23443 1 Fortinet 1 Fortisoar 2024-11-21 5.0 MEDIUM 7.5 HIGH
An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API data via crafted HTTP GET requests.