Arbitrary Code Execution Vulnerability in FileCatalyst Web Server
CVE-2024-25155

6.1MEDIUM

Key Information:

Vendor: Fortra
Status: Filecatalyst
Vendor: CVE Published:; 13 March 2024

Summary

A vulnerability exists in FileCatalyst Direct versions 3.8.8 and earlier down to 3.8.6, where the web server fails to sanitize illegal characters in URLs. This oversight allows a malicious actor to create a specially crafted URL that executes arbitrary code within an HTML script tag displayed on error pages. This could lead to unauthorized actions and compromise the affected system, exposing users to potential exploitation risks.

Affected Version(s)

FileCatalyst 3.8.6 < 3.8.9

References

https://www.fortra.com/security/advisory/fi-2024-003

https://filecatalyst.software/public/filecatalyst/Direct/...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 13, 2024
Vulnerability Reserved
Feb 6, 2024