SQL Injection Vulnerability in FileCatalyst Workflow Allows Modification of Application Data

CVE-2024-5276

9.8CRITICAL

Key Information

Vendor: Fortra
Status: Filecatalyst Workflow
Vendor: CVE Published:; 25 June 2024

Badges

👾 Exploit Exists📰 News Worthy

Summary

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.

Affected Version(s)

FileCatalyst Workflow = 5.1.6; 0

News Articles

Help Net Security

CVE-2024-5276

PoC exploit for critical Fortra FileCatalyst flaw published (CVE-2024-5276) - Help Net Security

A critical SQL injection Vulnerability in Fortra FileCatalyst Workflow (CVE-2024-5276) has been patched, a PoC is already available online.

5 months ago

BleepingComputer

CVE-2024-5276

Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released

The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database.

5 months ago

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

👾
Exploit exists.
Jun 29, 2024
First article discovered by BleepingComputer
Jun 26, 2024
Vulnerability published.
Jun 25, 2024
Vulnerability Reserved.
May 23, 2024

Collectors

NVD DatabaseMitre Database2 News Article(s)

Credit

Tenable Research