FI-2024-002 - Directory Traversal in FileCatalyst Workflow
Severity
Critical
Published Date
13-Mar-2024
Updated Date
13-Mar-2024
Vulnerabilities
CVE-2024-25153
Notes
Description
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
FAQ
Question: Why is a CVE being issued now for a vulnerability that was reported in August, 2023.
Answer: This vulnerability was reported prior to Fortra joining the CNA program and fixed in August, 2023. We are issuing a CVE now at the request of the individual who initially reported the vulnerability.
Vulnerabilities
Acknowledgements
Fortra would like to thank the following individuals:
- Tom Wedgbury , LRQA Nettitude