"Fortra Patches Critical SQL Injection in FileCatalyst Workflow"

Fortra recently announced patches for a critical-severity SQL injection vulnerability in FileCatalyst Workflow that could allow attackers to create administrative user accounts.  The company said the vulnerability is tracked as CVE-2024-5276 (CVSS score of 9.8), affecting FileCatalyst Workflow version 5.1.6 Build 135 and earlier.  The company noted that the issue could also be exploited to modify application data.  The company noted that using this vulnerability, data exfiltration via SQL injection is impossible.  Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is needed.  According to Tenable, which identified the security defect, CVE-2024-5276 exists because a user-supplied jobID is used when forming the "Where" clause in an SQL query.  Fortra addressed the vulnerability in FileCatalyst Workflow version 5.1.6 build 139.  Users are advised to update their instances as soon as possible. 

SecurityWeek reports: "Fortra Patches Critical SQL Injection in FileCatalyst Workflow"