"Fortra Patches Critical Vulnerability in FileCatalyst Workflow"

Cybersecurity solutions provider Fortra recently announced patches for two vulnerabilities in FileCatalyst Workflow, including a critical severity flaw involving leaked credentials.  The critical issue is tracked as CVE-2024-6633 (CVSS score of 9.8) and exists because the default credentials for the setup HSQL database (HSQLDB) have been published in a vendor knowledgebase article.   Fortra recommends that the bundled HSQL database should not be used and notes that CVE-2024-6633 is exploitable only if the attacker has access to the network and port scanning and if the HSQLDB port is exposed to the internet.  The company has addressed the vulnerability by limiting access to the database to localhost.  Patches were included in FileCatalyst Workflow version 5.1.7 build 156, which also resolves a high-severity SQL injection flaw tracked as CVE-2024-6632.  Fortra stated that a vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack, leading to a loss of confidentiality, integrity, and availability.  Fortra customers are advised to update to FileCatalyst Workflow version 5.1.7 build 156 or later as soon as possible.  The company does not mention any of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Fortra Patches Critical Vulnerability in FileCatalyst Workflow"