A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
The attacker sends a specially crafted POST request to the 'ftpservlet' component, exploiting path traversal sequences in the target path of the uploaded file. The validation mechanism does not properly verify the path, which allows the file to be saved outside the intended 'uploadtemp' directory. If the file is placed in the web server's DocumentRoot directory, the attacker can then execute it as a JSP script — for example, in the form of a web shell — thereby gaining control of the server.
An unauthenticated remote attacker can gain full remote code execution (RCE) on the server, leading to complete breach of confidentiality, integrity, and availability of the system, including the possibility of installing a web shell.
Fortra FileCatalyst Workflow should be updated to version 5.1.6.114 or later, in accordance with the information contained in the vendor's release notes and Fortra security advisory FI-2024-002.
Fortra FileCatalyst Workflow — versions prior to 5.1.6.114 (patch version indicated in vendor references)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortra Filecatalyst Workflow
APPFortra5.1.65.0 – 5.1.6 (bez)
Related vulnerabilities
Domyślne poświadczenia bazy HSQLDB w Fortra FileCatalyst Workflow
SQL Injection w Fortra FileCatalyst Workflow umożliwia modyfikację danych
A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to p...
Deserialization i command injection w Fortra GoAnywhere MFT (License Servlet)
Pominięcie uwierzytelniania w Fortra GoAnywhere MFT — tworzenie konta admina