A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
Fixes

Solution

Upgrade to FileCatalyst 5.1.6 Build 114 or later to remediate this issue.


Workaround

No workaround given by the vendor.

History

Fri, 19 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortra filecatalyst
CPEs cpe:2.3:a:fortra:filecatalyst:5.1.4:*:*:*:*:*:*:*
Vendors & Products Fortra filecatalyst
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 21 Jan 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Fortra
Fortra filecatalyst Workflow
Weaknesses CWE-668
CPEs cpe:2.3:a:fortra:filecatalyst_workflow:*:*:*:*:*:*:*:*
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build112:*:*:*:*:*:*
Vendors & Products Fortra
Fortra filecatalyst Workflow

cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2025-09-19T12:46:03.155Z

Reserved: 2024-02-06T21:23:57.924Z

Link: CVE-2024-25153

cve-icon Vulnrichment

Updated: 2024-08-01T23:36:21.630Z

cve-icon NVD

Status : Modified

Published: 2024-03-13T15:15:50.913

Modified: 2025-09-19T13:15:42.337

Link: CVE-2024-25153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.