CVE-2024-5276

CRITICAL EPSS 99.8%
Published Jun 25, 20242y ago · Modified Jun 17, 20262w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Jun 25, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
99.8% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-89 SQL Injection Injection

Affected Products 7

VendorProductVersionRange
fortrafilecatalyst_workflow* <5.1.6
fortrafilecatalyst_workflow5.1.6any
fortrafilecatalyst_workflow5.1.6any
fortrafilecatalyst_workflow5.1.6any
fortrafilecatalyst_workflow5.1.6any
fortrafilecatalyst_workflow5.1.6any
fortrafilecatalyst_workflow5.1.6any

References 3

  • support.fortra.com https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0
    MitigationVendor Advisory
  • fortra.com https://www.fortra.com/security/advisory/fi-2024-008
    Vendor Advisory
  • tenable.com https://www.tenable.com/security/research/tra-2024-25
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.