Skip to main content

Fortisoar CVE-2024-48893

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-01-14 psirt@fortinet.com
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:03 vuln.today
CVE Published
Jan 14, 2025 - 14:15 nvd
MEDIUM 6.8

DescriptionCVE.org

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook.

AnalysisAI

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook. Affected products include: Fortinet Fortisoar. Version information: through 7.3.3.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-27995 HIGH
8.8 Apr 11

A improper neutralization of special elements used in a template engine vulnerability in Fortinet FortiSOAR 7.3.0 throug

CVE-2022-35847 HIGH
8.8 Sep 06

An improper neutralization of special elements used in a template engine vulnerability [CWE-1336] in FortiSOAR managemen

CVE-2024-21760 HIGH
8.4 Mar 18

An improper control of generation of code ('Code Injection') vulnerability [CWE-94] in FortiSOAR Connector FortiSOAR 7.4

CVE-2022-30298 HIGH
7.8 Sep 06

An improper privilege management vulnerability [CWE-269] in Fortinet FortiSOAR before 7.2.1 allows a GUI user who has al

CVE-2024-45327 HIGH
7.5 Sep 11

An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 t

CVE-2022-23443 HIGH
7.5 May 04

An improper access control in Fortinet FortiSOAR before 7.2.0 allows unauthenticated attackers to access gateway API dat

CVE-2023-25605 HIGH
7.2 Mar 07

A improper access control vulnerability in Fortinet FortiSOAR 7.3.0 - 7.3.1 allows an attacker authenticated on the admi

CVE-2022-29061 HIGH
7.2 Sep 09

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in

CVE-2024-31493 MEDIUM
6.5 Jun 03

An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR version 7.3

CVE-2022-29062 MEDIUM
6.5 Sep 06

Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiSOAR before 7.2.1 allows an authenticated att

CVE-2022-42473 MEDIUM
5.5 Nov 02

A missing authentication for a critical function vulnerability in Fortinet FortiSOAR 6.4.0 - 6.4.4 and 7.0.0 - 7.0.3 and

CVE-2022-38379 MEDIUM
5.4 Dec 06

Improper neutralization of input during web page generation [CWE-79] in FortiSOAR 7.0.0 through 7.0.3 and 7.2.0 may allo

Share

CVE-2024-48893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy