Fortra Patches Critical SQL Injection in FileCatalyst Workflow
28-June-24
Tracked as CVE-2024-5276 (CVSS score of 9.8) and affecting FileCatalyst Workflow version 5.1.6 Build 135 and earlier, the issue could also be exploited to modify application data, Fortra noted in an advisory. “Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required,” the company explained. According to cybersecurity company Tenable, which identified the security defect, CVE-2024-5276 exists because a user-supplied jobID is used when forming the ‘Where’ clause in an SQL query. Fortra addressed the vulnerability in FileCatalyst Workflow version 5.1.6 build 139. Users are advised to update their instances as soon as possible, as Fortra’s streamlined file transfer solutions have been targeted in malicious attacks.
