CVE-2024-25155
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in FileCatalyst Direct web server versions 3.8.6 through 3.8.8. Attackers can craft malicious URLs that execute arbitrary JavaScript code in victims' browsers when error pages are displayed. Organizations using affected FileCatalyst Direct versions are at risk.
💻 Affected Systems
- FileCatalyst Direct
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deliver malware payloads through the victim's browser.
Likely Case
Session hijacking, credential theft, or defacement of error pages through injected content.
If Mitigated
Limited impact if proper web application firewalls, content security policies, or input validation are in place.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited and require minimal technical skill to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.9.90
Vendor Advisory: https://www.fortra.com/security/advisory/fi-2024-003
Restart Required: Yes
Instructions:
1. Download FileCatalyst Direct version 3.8.9.90 or later from the vendor. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the FileCatalyst Direct service.
🔧 Temporary Workarounds
Implement Web Application Firewall (WAF)
allConfigure WAF rules to block XSS payloads in URLs and sanitize input.
Apply Content Security Policy (CSP)
allImplement CSP headers to restrict script execution sources.
Add HTTP header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict access to FileCatalyst Direct web interface using network segmentation or firewall rules.
- Monitor web server logs for suspicious URL patterns containing script tags or JavaScript code.
🔍 How to Verify
Check if Vulnerable:
Check FileCatalyst Direct version via web interface or configuration files. If version is between 3.8.6 and 3.8.8 inclusive, system is vulnerable.Check Version:
Check web interface or configuration files for version information.Verify Fix Applied:
Verify installed version is 3.8.9.90 or later. Test with safe XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- URLs containing script tags, JavaScript code, or unusual characters in web server access logs
Network Indicators:
- HTTP requests with malicious payloads in URL parameters
SIEM Query:
source="webserver.log" AND (url="*<script>*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")