CVE-2024-48893 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-48893?

CVE-2024-48893 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows authenticated attackers to inject malicious scripts into FortiSOAR playbooks, which then execute in victims' browsers when viewing those playbooks. It affects FortiSOAR versions 7.3.0-7.3.3 and 7.2.1-7.2.2, requiring attacker authentication but enabling persistent XSS attacks.

📋 TL;DR

This vulnerability allows authenticated attackers to inject malicious scripts into FortiSOAR playbooks, which then execute in victims' browsers when viewing those playbooks. It affects FortiSOAR versions 7.3.0-7.3.3 and 7.2.1-7.2.2, requiring attacker authentication but enabling persistent XSS attacks.

💻 Affected Systems

Products:

FortiSOAR

Versions: 7.3.0 through 7.3.3, 7.2.1 through 7.2.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with playbook creation/modification privileges. All deployments with affected versions are vulnerable by default.

📦 What is this software?

Fortisoar by Fortinet

View all CVEs affecting Fortisoar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker steals administrator session cookies, gains full administrative access, and potentially compromises the entire FortiSOAR instance and connected systems.

🟠

Likely Case

Authenticated user with playbook creation privileges steals session cookies from other users, leading to privilege escalation and unauthorized access to sensitive security orchestration data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and playbook creation privileges. Stored XSS payloads persist until playbook is modified or deleted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.3.4 and 7.2.3

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-405

Restart Required: Yes

Instructions:

1. Backup FortiSOAR configuration and data. 2. Download and install FortiSOAR version 7.3.4 or 7.2.3 from Fortinet support portal. 3. Follow FortiSOAR upgrade documentation. 4. Restart FortiSOAR services. 5. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Restrict Playbook Creation

all

Limit playbook creation/modification permissions to trusted administrators only.

Content Security Policy

all

Implement strict CSP headers to block inline script execution.

🧯 If You Can't Patch

Implement strict input validation and output encoding for all playbook content fields
Monitor and audit playbook creation/modification activities for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check FortiSOAR version via admin interface or CLI. If version is 7.3.0-7.3.3 or 7.2.1-7.2.2, system is vulnerable.

Check Version:

Check FortiSOAR web interface admin panel or consult FortiSOAR documentation for version check commands specific to your deployment.

Verify Fix Applied:

Verify FortiSOAR version is 7.3.4 or 7.2.3 or later. Test playbook creation with script payloads to ensure proper sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual playbook creation/modification patterns
Playbook content containing script tags or JavaScript functions
Multiple failed login attempts followed by playbook creation

Network Indicators:

HTTP requests with suspicious playbook payloads
Outbound connections to external domains from FortiSOAR interface

SIEM Query:

source="fortisoar" AND (event_type="playbook_create" OR event_type="playbook_modify") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-48893

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.19% exploit probability (40.9th percentile)

Published: January 14, 2025

Last Updated: February 3, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-24-405 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48893, you might also want to check these: