A critical security flaw has been discovered in Fortra FileCatalyst Workflow that, if not patched, could allow an attacker to make changes to the application’s database.
Tracked as CVE-2024-5276, the vulnerability has a CVSS score of 9.8. This affects FileCatalyst Workflow version 5.1.6 Build 135 and earlier. This was addressed in version 5.1.6 of build 139.
“SQL Injection Vulnerability in Fortra FileCatalyst Workflow Allows Attacker to Modify Application Data”, Fortra said in an advisory issued Tuesday. “Possible consequences include the creation of administrative users and the deletion or modification of data in the application database.”
It also emphasizes that successful unauthenticated exploitation requires a Workflow system with anonymous access enabled. Alternatively, it can also be abused by an authenticated user.
Users who cannot apply patches immediately can disable vulnerable servlets – csv_servlet, pdf_servlet, xml_servlet and json_servlet – in the “web.xml” file located in the Apache Tomcat installation directory as temporary workarounds.
Cybersecurity firm Tenable, which reported the flaw on May 22, 2024, has since released a proof-of-concept (PoC) exploit.
“The user-supplied job ID is used to form the WHERE clause in the SQL query” is said. “An anonymous remote attacker can execute SQLi via the JOBID parameter on various workflow web application URL endpoints.”
