The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database.
FileCatalyst Workflow is a web-based file exchange and sharing platform supporting large file sizes.
It's used by organizations worldwide to accelerate data transfers and collaborate in private cloud spaces.
The critical vulnerability, tracked as CVE-2024-5276, was discovered on June 18, 2024, by Tenable researchers, but was made public only yesterday.
Fortra explains in a security bulletin that the flaw allows admin user creation and database manipulation, but stealing data isn't viable through it.
The flaw impacts FileCatalyst Workflow 5.1.6 Build 135 and older versions.
Fixes were made available in FileCatalyst Workflow 5.1.6 build 139, which is the recommended upgrade target for users.
Otherwise, authentication is required to exploit CVE-2024-5276.
Tenable discovered CVE-2024-5276 on May 15, 2024, and first disclosed the issue to Fortra on May 22, along with a proof-of-concept exploit demonstrating the vulnerability.
Simultaneously to the publication of Fortra's security bulletin, Tenable published its exploit, showcasing how an anonymous remote attacker can perform SQL injection via the 'jobID' parameter in various URL endpoints of the Workflow web app.
The problem is that the 'findJob' method uses a user-supplied 'jobID' without sanitizing the input to form the 'WHERE' clause in an SQL query, allowing an attacker to insert malicious code.
Tenable's script logs into the FileCatalyst Workflow application anonymously and performs an SQL Injection via the 'jobID' parameter to insert a new admin user with a known password.
Eventually, it retrieves the logon token and uses the newly created admin credentials to log in on the vulnerable endpoint.
There have been no reports about active exploitation of the issue, but the release of a working exploit could change that very soon.
In early 2023, the Clop ransomware gang exploited a Fortra GoAnywhere MFT zero-day vulnerability, tracked as CVE-2023-0669, in data theft attacks to blackmail hundreds of organizations using the product.
Exploit for critical Veeam auth bypass available, patch now.
Exploit for critical Progress Telerik auth bypass released, patch now.
QNAP QTS zero-day in Share feature gets public RCE exploit.
Exploit for Veeam Recovery Orchestrator auth bypass available, patch now.
Exploit released for maximum severity Fortinet RCE bug, patch now.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Jun 2024 19:10:19 +0000