CVE-2024-5276

Exploit

EPSS 85.36%
Veröffentlicht 25.06.2024 20:15:14
Zuletzt bearbeitet 04.04.2025 23:59:36
Quelle df4dee71-de3a-4139-9588-11b62f
CVE-Watchlists
Login
Unerledigt
Login

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fortra ≫ Filecatalyst Workflow Version < 5.1.6

Fortra ≫ Filecatalyst Workflow Version5.1.6 Update-

Fortra ≫ Filecatalyst Workflow Version5.1.6 Updatebuild112

Fortra ≫ Filecatalyst Workflow Version5.1.6 Updatebuild114

Fortra ≫ Filecatalyst Workflow Version5.1.6 Updatebuild126

Fortra ≫ Filecatalyst Workflow Version5.1.6 Updatebuild130

Fortra ≫ Filecatalyst Workflow Version5.1.6 Updatebuild135

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	85.36%	0.993

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
df4dee71-de3a-4139-9588-11b62fe6c0ff	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0

Vendor Advisory

Mitigation

https://www.fortra.com/security/advisory/fi-2024-008

Vendor Advisory

https://www.tenable.com/security/research/tra-2024-25

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-5276

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-5276

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-5276

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-5276