Critical SQLi Vulnerability Found in Fortra FileCatalyst Workflow Application

A critical security flaw has been disclosed in Fortra FileCatalyst Workflow that, if left unpatched, could allow an attacker to tamper with the application database.

Tracked as CVE-2024-5276, the vulnerability carries a CVSS score of 9.8. It impacts FileCatalyst Workflow versions 5.1.6 Build 135 and earlier. It has been addressed in version 5.1.6 build 139.

"An SQL injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data," Fortra said in an advisory published Tuesday. "Likely impacts include creation of administrative users and deletion or modification of data in the application database."

It also emphasized that successful unauthenticated exploitation requires a Workflow system with anonymous access enabled. Alternatively, it can also be abused by an authenticated user.

Users who cannot apply the patches immediately can disable the vulnerable servlets – csv_servlet, pdf_servlet, xml_servlet, and json_servlet – in the "web.xml" file located in the Apache Tomcat installation directory as temporary workarounds.

Cybersecurity firm Tenable, which reported the flaw on May 22, 2024, has since released a proof-of-concept (PoC) exploit for the flaw.

"A user-supplied jobID is used to form the WHERE clause in an SQL query," it said. "An anonymous remote attacker can perform SQLi via the JOBID parameter in various URL endpoints of the workflow web application."