Multiple Vulnerabilities in FileCatalyst Direct

Fortra Security and Trust Center

FI-2024-003 - Multiple Vulnerabilities in FileCatalyst Direct

Severity
Moderate
Published Date
13-Mar-2024
Updated Date
13-Mar-2024
Vulnerabilities
CVE-2024-25154
CVE-2024-25155
 
Notes
Description

A pair of vulnerabilities exist within FileCatalyst Direct 3.8.8 and earlier. See the vulnerability descriptions below for additional details.

 

Vulnerabilities

 
Path Traversal in FileCatalyst Direct
Severity
Moderate
CVE
CVE-2024-25154
CWE
CWE-22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Discovery Date
09-Jan-2024
CSSv3.1
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products
Fortra FileCatalyst Direct 3.x before 3.8.9
Vulnerability Notes
Description

Improper URL validation allows path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the webroot which may lead to data leakage.

 
Remediation: Vendor Fix

Upgrade to FileCatalyst Direct 3.8.9 or higher.

 
References
Reflected Cross-Site Scripting (XSS) in FileCatalyst Direct
Severity
Moderate
CVE
CVE-2024-25155
CWE
CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Discovery Date
09-Jan-2024
CSSv3.1
7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
Affected Products
Fortra FileCatalyst Direct 3.x before 3.8.9
Vulnerability Notes
Description

In FileCatalyst Direct 3.8.8 and earlier, the web server does not properly sanitize illegal characters in a URL which is then embedded in a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.

 
Remediation: Vendor Fix

Upgrade to FileCatalyst Direct 3.8.9 or higher.

 
References