9.8
CVE-2024-25153
- EPSS 41.74%
- Veröffentlicht 13.03.2024 15:15:50
- Zuletzt bearbeitet 19.09.2025 13:15:42
- Quelle df4dee71-de3a-4139-9588-11b62f
- CVE-Watchlists
- Unerledigt
LoginRemote Code Execution in FileCatalyst Workflow 5.x prior to 5.1.6 Build 114
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fortra ≫ Filecatalyst Workflow Version >= 5.0 < 5.1.6
Fortra ≫ Filecatalyst Workflow Version5.1.6 Updatebuild112
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 41.74% | 0.985 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| df4dee71-de3a-4139-9588-11b62fe6c0ff | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-472 External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html
https://www.fortra.com/security/advisory/fi-2024-002
https://github.com/nettitude/CVE-2024-25153/blob/master/CVE-2024-25153.py