A critical security flaw has been discovered in Fortra FileCatalyst Workflow that, if left unfixed, could allow an attacker to tamper with the application database.
This vulnerability, tracked as CVE-2024-5276, has a CVSS score of 9.8. It affects FileCatalyst Workflow versions 5.1.6 build 135 and earlier. It is addressed in version 5.1.6 build 139.
“A SQL injection vulnerability in Fortra FileCatalyst Workflow could allow an attacker to modify application data,” Fortra said in an advisory published on Tuesday. “Possible impacts include creating administrative users and deleting or modifying data in the application database.”
It also highlights that a successful unauthenticated attack requires the workflow system to have anonymous access enabled, but can also be exploited by an authenticated user.
As a temporary workaround, users who are unable to apply the patch immediately can disable the vulnerable servlets (csv_servlet, pdf_servlet, xml_servlet, json_servlet) in the “web.xml” file located in the Apache Tomcat installation directory.
Cybersecurity company Tenable, which reported the vulnerability on May 22, 2024, has subsequently released a proof-of-concept (PoC) exploit for the vulnerability.
“The user-supplied job ID is used to form the WHERE clause of the SQL query,” the company said. “An anonymous remote attacker can execute SQLi via the JOBID parameter on various URL endpoints of the Workflow web application.”
