FileCatalyst
by Fortra
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8450 | Hig | 0.53 | 8.2 | 0.00 | Aug 19, 2025 | Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page. | ||
| CVE-2024-5275 | Hig | 0.51 | 7.8 | 0.00 | Jun 18, 2024 | A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack… | ||
| CVE-2024-5276 | 0.10 | — | 0.90 | Jun 25, 2024 | A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not… | |||
| CVE-2024-25153 | 0.07 | — | 0.42 | Mar 13, 2024 | A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s… | |||
| CVE-2024-6632 | 0.00 | — | 0.01 | Aug 27, 2024 | A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability. | |||
| CVE-2024-6633 | 0.00 | — | 0.01 | Aug 27, 2024 | The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only… | |||
| CVE-2024-25155 | 0.00 | — | 0.00 | Mar 13, 2024 | In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script… | |||
| CVE-2024-25154 | 0.00 | — | 0.00 | Mar 13, 2024 | Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage. |
- risk 0.53cvss 8.2epss 0.00
Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page.
- risk 0.51cvss 7.8epss 0.00
A hard-coded password in the FileCatalyst TransferAgent can be found which can be used to unlock the keystore from which contents may be read out, for example, the private key for certificates. Exploit of this vulnerability could lead to a machine-in-the-middle (MiTM) attack…
- CVE-2024-5276Jun 25, 2024risk 0.10cvss —epss 0.90
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not…
- CVE-2024-25153Mar 13, 2024risk 0.07cvss —epss 0.42
A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s…
- CVE-2024-6632Aug 27, 2024risk 0.00cvss —epss 0.01
A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability.
- CVE-2024-6633Aug 27, 2024risk 0.00cvss —epss 0.01
The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledgebase article. Misuse of these credentials could lead to a compromise of confidentiality, integrity, or availability of the software. The HSQLDB is only…
- CVE-2024-25155Mar 13, 2024risk 0.00cvss —epss 0.00
In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script…
- CVE-2024-25154Mar 13, 2024risk 0.00cvss —epss 0.00
Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.