A critical security flaw has been disclosed in Fortra FileCatalyst Workflow that, if left unpatched, could make it possible for an attacker to tamper with the application database.
Tracked as CVE-2024-5276, the vulnerability carries a CVSS rating of 9.8. It impacts FileCatalyst Workflow variations 5.1.6 Establish 135 and earlier. It has been tackled in model 5.1.6 develop 139.
“An SQL injection vulnerability in Fortra FileCatalyst Workflow makes it possible for an attacker to modify software facts,” Fortra stated in an advisory posted Tuesday. “Probable impacts incorporate creation of administrative people and deletion or modification of information in the application databases.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
It also emphasised that effective unauthenticated exploitation calls for a Workflow procedure with nameless obtain enabled. Alternatively, it can also be abused by an authenticated consumer.
Consumers who can not implement the patches instantly can disable the susceptible servlets – csv_servlet, pdf_servlet, xml_servlet, and json_servlet – in the “web.xml” file found in the Apache Tomcat installation directory as short term workarounds.
Cybersecurity firm Tenable, which documented the flaw on May perhaps 22, 2024, has since launched a proof-of-strategy (PoC) exploit for the flaw.
“A person-provided jobID is utilised to variety the Where by clause in an SQL query,” it mentioned. “An anonymous remote attacker can carry out SQLi by means of the JOBID parameter in several URL endpoints of the workflow web application.”
Found this article attention-grabbing? Observe us on Twitter and LinkedIn to read much more unique information we submit.
Some components of this short article are sourced from:
thehackernews.com