Security Advisory: Critical SQL Injection Vulnerability
We have identified a critical security vulnerability affecting both the user portal and administration modules, where an authenticated user could potentially alter database information through SQL injection. This vulnerability does not expose existing user data or other sensitive information stored in the database.
We strongly recommend that all clients update to the latest release of WorkflowGen for their specific version, which includes a fix for this issue.
- WorkflowGen v9.0.7 Release Notes and Download
- WorkflowGen v8.3.3 Release Notes and Download
- WorkflowGen v7.22.15 Release Notes and Download
Hotfixes are available for the following older versions:
-
Version 6 (for v6.6.0 and older - this patch includes previous fixes for #664 and #1550)
**Note: If you are using an older version of 6 (e.g., v6.0.0+), please upgrade to v6.6.0 with the upgrade pack before applying this patch.To install the fix:
- Stop the WorkflowGen engine and directory synchronization services.
- Copy and overwrite all
*.dlland*.exefiles from the update pack to the correspondingBinfolders on your server:\wfgen\bin\wfgen\wfapps\webforms\bin\wfgen\ws\binProgram Files\Advantys\WorkflowGen\Services\bin
-
Version 5 (for v5.7.4 and older)
**Note: If you are using an older version of 5 (e.g., v5.0.0+), please upgrade to v5.7.4 with the upgrade pack before applying this patch.To install the fix:
Copy and overwrite all*.dllfiles from the update pack to the\wfgen\binfolder on your server.