CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-48892
https://notcve.org/view.php?id=CVE-2024-48892
12 Aug 2025 — A relative path traversal vulnerability [CWE-23] in FortiSOAR 7.6.0, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack. • https://fortiguard.fortinet.com/psirt/FG-IR-24-421 • CWE-23: Relative Path Traversal •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-32932
https://notcve.org/view.php?id=CVE-2025-32932
12 Aug 2025 — An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR version 7.6.1 and below, version 7.5.1 and below, 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions WEB UI may allow an authenticated remote attacker to perform an XSS attack via stored malicious service requests • https://fortiguard.fortinet.com/psirt/FG-IR-24-513 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-21760
https://notcve.org/view.php?id=CVE-2024-21760
18 Mar 2025 — An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker to execute arbitrary code on the host via a playbook code snippet. • https://fortiguard.fortinet.com/psirt/FG-IR-23-420 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47572
https://notcve.org/view.php?id=CVE-2024-47572
14 Jan 2025 — An improper neutralization of formula elements in a csv file in Fortinet FortiSOAR 7.2.1 through 7.4.1 allows attacker to execute unauthorized code or commands via manipulating csv file • https://fortiguard.fortinet.com/psirt/FG-IR-24-210 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 0CVE-2024-36510
https://notcve.org/view.php?id=CVE-2024-36510
14 Jan 2025 — An observable response discrepancy vulnerability [CWE-204] in FortiClientEMS 7.4.0, 7.2.0 through 7.2.4, 7.0 all versions, and FortiSOAR 7.5.0, 7.4.0 through 7.4.4, 7.3.0 through 7.3.2, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an unauthenticated attacker to enumerate valid users via observing login request responses. • https://fortiguard.fortinet.com/psirt/FG-IR-24-071 • CWE-204: Observable Response Discrepancy •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-48893
https://notcve.org/view.php?id=CVE-2024-48893
14 Jan 2025 — An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook. • https://fortiguard.fortinet.com/psirt/FG-IR-24-405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-45327
https://notcve.org/view.php?id=CVE-2024-45327
11 Sep 2024 — An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-048 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-26211
https://notcve.org/view.php?id=CVE-2023-26211
13 Aug 2024 — An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSOAR 7.3.0 through 7.3.2 allows an authenticated, remote attacker to inject arbitrary web script or HTML via the Communications module. • https://fortiguard.com/psirt/FG-IR-23-088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31493
https://notcve.org/view.php?id=CVE-2024-31493
03 Jun 2024 — An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3.0, version 7.2.2 and below, version 7.0.3 and below may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses. Una eliminación inadecuada de información confidencial antes de la vulnerabilidad de almacenamiento o transferencia [CWE-212] en FortiSOAR versión 7.3.0, versión 7.2.2 e inferiores, versión 7.0.3 e inferiores puede permitir que un... • https://fortiguard.fortinet.com/psirt/FG-IR-24-052 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-27995
https://notcve.org/view.php?id=CVE-2023-27995
11 Apr 2023 — A improper neutralization of special elements used in a template engine vulnerability in Fortinet FortiSOAR 7.3.0 through 7.3.1 allows an authenticated, remote attacker to execute arbitrary code via a crafted payload. • https://fortiguard.com/psirt/FG-IR-23-051 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •