SQL Injection in FileCatalyst Workflow 5.1.6 Build 139 (and earlier)

FI-2024-010 - SQL Injection in FileCatalyst Workflow 5.1.6 Build 139 (and earlier)

Severity
High
Published Date
27-Aug-2024
Updated Date
27-Aug-2024
Vulnerabilities
CVE-2024-6632
 
Notes
Description

A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability.

 

Vulnerabilities

 
SQL Injection in FileCatalyst Workflow 5.1.6 Build 139 (and earlier)
Severity
High
CVE
CVE-2024-6632
CWE
CWE-89:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Discovery Date
01-Jul-2024
CSSv3.1
7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Products
FileCatalyst Workflow 5.1.6 Build 139 (and earlier)
Vulnerability Notes
Remediation: Vendor Fix

Upgrade to FileCatalyst Workflow 5.1.7 or later.

 
References
 

References

 

Acknowledgements

Fortra would like to thank the following individuals:

  • Dynatrace Security Research