Critical SQL injection vulnerabilities reported in Fortra FileCatalyst Workflow
Take action: If you are using Fortra FileCatalyst Workflow, time to patch the system. Isolating the system from internet access helps if you can implement it. But it's better to update.
Learn More
Fortra has released urgent patches to address two SQL injection vulnerabilities in its FileCatalyst Workflow software, trakced as CVE-2024-6632 and CVE-2024-6633.
- CVE-2024-6633 (CVSS score 9.8): This vulnerability arises from the misuse of default credentials in the HSQL database used during installation. Although not meant for production use, systems that continue to utilize this default setup without switching to a secure alternative database are at risk of unauthorized access and data breaches.
- CVE-2024-6632 (CVSS score 7.2): This vulnerability allows attackers to execute SQL injection attacks via a field accessible to super administrators. This could lead to unauthorized database modifications, compromising data integrity and potentially making the system unavailable. Discovered during a routine security assessment by Dynatrace, the flaw stems from insufficient validation of user inputs during the setup process.
If exploited, these flaws could impact the confidentiality, integrity, and availability of affected systems. FileCatalyst Workflow versions up to 5.1.6 Build 139 are vulnerable.
Fortra has patched these vulnerabilities in FileCatalyst Workflow version 5.1.7. Users are strongly advised to update to this latest version to prevent potential exploitation.
