Fortra has disclosed a critical-severity SQL injection flaw in FileCatalyst Workflow, its browser-based file transfer platform. In conjunction with the disclosure, security researchers this week have also released a proof-of-concept exploit code for the vulnerability.

The vulnerability (CVE-2024-5276), which ranks 9.8 out of 10 on the CVSS scale, could enable attackers to modify application data, which could then allow them to create administrative users, or delete or modify data in the application database. However, Fortra said that data exfiltration via SQL injection is not possible with this vulnerability.

“Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required,” according to Fortra in its advisory this week. “This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.”

Patches are available, and users are urged to upgrade to FileCatalyst Workflow version 5.1.6 build 139 or later.

Tenable researchers, which first reported the vulnerability, published the PoC exploit code on Tuesday after Fortra fixed the flaw. The flaw stems from a failure of certain processes to appropriately validate input, which can enable SQL injection. SQL injection flaws can allow threat actors to craft input strings, and when targeted applications create SQL statements based on that input, those statements perform actions that weren’t intended by the original application.

“A user-supplied jobID is used to form the WHERE clause in an SQL query… An anonymous remote attacker can perform SQLi via the JOBID parameter in various URL endpoints of the workflow web application,” according to Tenable’s advisory.
According to Tenable, it first contacted Fortra about the flaw in mid-May. On June 25, Fortra informed Tenable that they released a patch and disclosure advisory for the issue.

Fortra products have previously had critical-severity issues in its products related to file transfer functionalities, mostly notably in its GoAnywhere Managed File Transfer (MFT) software. In January, a critical-severity authentication bypass bug was disclosed in GoAnywhere MFT (CVE-2024-0204), and last year, the Cl0p ransomware group exploited a high-severity pre-authentication command injection flaw (CVE-2023-0669) in the software.