Search criteria
48 vulnerabilities found for moveit_transfer by progress
CVE-2025-13147 (GCVE-0-2025-13147)
Vulnerability from nvd – Published: 2025-11-19 20:45 – Updated: 2025-11-19 20:50
VLAI?
Title
External Service Interaction (DNS)
Summary
Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
0 , < 2024.1.8
(semver)
Affected: 2025.0.0 , < 2025.0.4 (semver) |
Credits
Early Warning Services
Michael McCambridge
Brian Tigges
Jason Scribner
Alex Achs
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:49:54.892323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:50:10.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2024.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2025.0.4",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Early Warning Services"
},
{
"lang": "en",
"type": "finder",
"value": "Michael McCambridge"
},
{
"lang": "en",
"type": "finder",
"value": "Brian Tigges"
},
{
"lang": "en",
"type": "finder",
"value": "Jason Scribner"
},
{
"lang": "en",
"type": "finder",
"value": "Alex Achs"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.\u003cp\u003eThis issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:45:48.418Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html"
},
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html"
},
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "External Service Interaction (DNS)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-13147",
"datePublished": "2025-11-19T20:45:48.418Z",
"dateReserved": "2025-11-13T20:06:29.891Z",
"dateUpdated": "2025-11-19T20:50:10.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2324 (GCVE-0-2025-2324)
Vulnerability from nvd – Published: 2025-03-19 15:23 – Updated: 2025-03-19 20:17
VLAI?
Title
A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder
Summary
Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.
Severity ?
5.9 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2023.1.0 , < 2023.1.12
(custom)
Affected: 2024.0.0 , < 2024.0.8 (custom) Affected: 2024.1.0 , < 2024.1.2 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T20:16:53.538862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T20:17:04.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"SFTP"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2023.1.12",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2024.0.8",
"status": "affected",
"version": "2024.0.0",
"versionType": "custom"
},
{
"lessThan": "2024.1.2",
"status": "affected",
"version": "2024.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:23:03.486Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-2324-March-18-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-2324",
"datePublished": "2025-03-19T15:23:03.486Z",
"dateReserved": "2025-03-14T17:30:06.106Z",
"dateUpdated": "2025-03-19T20:17:04.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6576 (GCVE-0-2024-6576)
Vulnerability from nvd – Published: 2024-07-29 13:46 – Updated: 2024-08-01 21:41
VLAI?
Title
MOVEit Transfer Privilege Escalation Vulnerability
Summary
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.
Severity ?
7.3 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2023.0.0 , < 2023.0.12
(semver)
Affected: 2023.1.0 , < 2023.1.7 (semver) Affected: 2024.0.0 , < 2024.0.3 (semver) |
Credits
Discovered Internally
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.0.12",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
},
{
"lessThan": "2023.1.7",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.3",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:51:24.094046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:07:10.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"SFTP"
],
"platforms": [
"Windows"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2023.0.12",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
},
{
"lessThan": "2023.1.7",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.3",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Discovered Internally"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T13:46:32.409Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Privilege Escalation Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-6576",
"datePublished": "2024-07-29T13:46:32.409Z",
"dateReserved": "2024-07-08T17:38:23.180Z",
"dateUpdated": "2024-08-01T21:41:03.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5806 (GCVE-0-2024-5806)
Vulnerability from nvd – Published: 2024-06-25 15:04 – Updated: 2024-08-01 21:25
VLAI?
Title
MOVEit Transfer Authentication Bypass Vulnerability
Summary
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
Severity ?
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2023.0.0 , < 2023.0.11
(semver)
Affected: 2023.1.0 , < 2023.1.6 (semver) Affected: 2024.0.0 , < 2024.0.2 (semver) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:2023.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.0.11",
"status": "affected",
"version": "2023.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:2023.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:2024.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2024.0.2",
"status": "affected",
"version": "2024.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5806",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T03:55:23.614488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T13:22:54.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:02.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"SFTP"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2023.0.11",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.2",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T23:23:46.318Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Authentication Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-5806",
"datePublished": "2024-06-25T15:04:37.342Z",
"dateReserved": "2024-06-10T16:42:56.944Z",
"dateUpdated": "2024-08-01T21:25:02.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2291 (GCVE-0-2024-2291)
Vulnerability from nvd – Published: 2024-03-20 14:46 – Updated: 2024-08-01 19:11
VLAI?
Title
MOVEit Transfer Logging Bypass Vulnerability
Summary
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.
Severity ?
4.3 (Medium)
CWE
- CWE-778 - Insufficient Logging
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | MOVEit Transfer |
Affected:
2022.0.0 (14.0.0) , < 2022.0.11 (14.0.11)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.12 (14.1.12) (semver) Affected: 2023.0.0 (15.0.0) , < 2023.0.9 (15.0.9) (semver) Affected: 2023.1.0 (15.1.0) , < 2023.1.4 (15.1.4) (semver) |
Credits
HackerOne: interl0per
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T20:09:08.372929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "MOVEit Transfer",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2022.0.11 (14.0.11)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.12 (14.1.12)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.9 (15.0.9)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2023.1.4 (15.1.4)",
"status": "affected",
"version": "2023.1.0 (15.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "HackerOne: interl0per"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u0026nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."
}
],
"impacts": [
{
"capecId": "CAPEC-268",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-268 Audit Log Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-778",
"description": "CWE-778: Insufficient Logging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T14:46:59.040Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Logging Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-2291",
"datePublished": "2024-03-20T14:46:59.040Z",
"dateReserved": "2024-03-07T17:27:18.819Z",
"dateUpdated": "2024-08-01T19:11:53.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0396 (GCVE-0-2024-0396)
Vulnerability from nvd – Published: 2024-01-17 15:56 – Updated: 2024-11-13 19:52
VLAI?
Title
Missing Server-Side Input Validation in HTTP Parameter
Summary
In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2022.0.0 (14.0.0) , < 2022.0.10 (14.0.10)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.11 (14.1.11) (semver) Affected: 2023.0.0 (15.0.0) , < 2023.0.8 (15.0.8) (semver) Affected: 2023.1.0 (15.1.0) , < 2023.1.3 (15.1.3) (semver) |
Credits
HackerOne: p-v-p
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T20:58:50.772488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T19:52:11.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2022.0.10 (14.0.10)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.11 (14.1.11)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.8 (15.0.8)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2023.1.3 (15.1.3)",
"status": "affected",
"version": "2023.1.0 (15.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "HackerOne: p-v-p"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 API Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-17T15:58:24.651Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Server-Side Input Validation in HTTP Parameter",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-0396",
"datePublished": "2024-01-17T15:56:41.390Z",
"dateReserved": "2024-01-10T13:12:29.565Z",
"dateUpdated": "2024-11-13T19:52:11.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6218 (GCVE-0-2023-6218)
Vulnerability from nvd – Published: 2023-11-29 16:14 – Updated: 2024-08-02 08:21
VLAI?
Title
MOVEit Transfer Group Admin Privilege Escalation
Summary
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.
Severity ?
7.2 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Unaffected:
2023.1.0(15.1.0) , < 2023.1.1(15.1.1)
(semver)
Affected: 2023.0.0 (15.0.0) , < 2023.0.7 (15.0.7) (semver) Affected: 2022.1.0 (14.1.0) , < 2022.1.10 (14.1.10) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.9 (14.0.9) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.1.1(15.1.1)",
"status": "unaffected",
"version": "2023.1.0(15.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.7 (15.0.7)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.10 (14.1.10)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.9 (14.0.9)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.\u0026nbsp; It is possible for a group administrator to elevate a group members permissions to the role of an organization\u0026nbsp;administrator.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.\u00a0 It is possible for a group administrator to elevate a group members permissions to the role of an organization\u00a0administrator.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T16:14:17.324Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Group Admin Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-6218",
"datePublished": "2023-11-29T16:14:17.324Z",
"dateReserved": "2023-11-20T17:22:11.765Z",
"dateUpdated": "2024-08-02T08:21:17.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6217 (GCVE-0-2023-6217)
Vulnerability from nvd – Published: 2023-11-29 16:14 – Updated: 2024-08-02 08:21
VLAI?
Title
MOVEit Transfer XSS via MOVEit Gateway
Summary
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.
An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Unaffected:
2023.1.0(15.1.0) , < 2023.1.1(15.1.1)
(semver)
Affected: 2023.0.0 (15.0.0) , < 2023.0.7 (15.0.7) (semver) Affected: 2022.1.0 (14.1.0) , < 2022.1.10 (14.1.10) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.9 (14.0.9) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface",
"MOVEit Gateway"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.1.1(15.1.1)",
"status": "unaffected",
"version": "2023.1.0(15.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.7 (15.0.7)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.10 (14.1.10)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.9 (14.0.9)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7),\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.\u0026nbsp; \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim\u2019s browser.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7),\u00a0a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.\u00a0 \n\nAn attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim\u2019s browser.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T16:14:02.264Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer XSS via MOVEit Gateway",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-6217",
"datePublished": "2023-11-29T16:14:02.264Z",
"dateReserved": "2023-11-20T17:22:06.919Z",
"dateUpdated": "2024-08-02T08:21:17.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42660 (GCVE-0-2023-42660)
Vulnerability from nvd – Published: 2023-09-20 16:04 – Updated: 2025-02-27 20:49
VLAI?
Title
MOVEit Transfer Machine Interface SQL Injection
Summary
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2023.0.0 (15.0.0) , < 2023.0.6 (15.0.6)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.9 (14.1.9) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.8 (14.0.8) (semver) Affected: 2021.1.0 (13.1.0) , < 2021.1.8 (13.1.8) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:40.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T21:51:01.378999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:49:24.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Machine Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.0.6 (15.0.6)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.9 (14.1.9)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.8 (14.0.8)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2021.1.8 (13.1.8)",
"status": "affected",
"version": "2021.1.0 (13.1.0)",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-09-20T16:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u0026nbsp;that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\u003c/span\u003e\n\n"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T16:15:03.255Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Machine Interface SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-42660",
"datePublished": "2023-09-20T16:04:54.432Z",
"dateReserved": "2023-09-12T13:30:29.571Z",
"dateUpdated": "2025-02-27T20:49:24.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42656 (GCVE-0-2023-42656)
Vulnerability from nvd – Published: 2023-09-20 16:06 – Updated: 2024-09-24 18:44
VLAI?
Title
MOVEit Transfer Reflected XSS
Summary
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2023.0.0 (15.0.0) , < 2023.0.6 (15.0.6)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.9 (14.1.9) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.8 (14.0.8) (semver) Affected: 2021.1.0 (13.1.0) , < 2021.1.8 (13.1.8) (semver) |
Credits
Bugcrowd - HusseiN98D
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:40.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T18:44:20.472054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T18:44:28.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.0.6 (15.0.6)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.9 (14.1.9)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.8 (14.0.8)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2021.1.8 (13.1.8)",
"status": "affected",
"version": "2021.1.0 (13.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Bugcrowd - HusseiN98D"
}
],
"datePublic": "2023-09-20T16:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting\u0026nbsp;(XSS) vulnerability has been identified in MOVEit Transfer\u0027s web interface.\u0026nbsp; An attacker could craft a malicious payload targeting\u0026nbsp;MOVEit Transfer users during the package composition procedure.\u0026nbsp; If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting\u00a0(XSS) vulnerability has been identified in MOVEit Transfer\u0027s web interface.\u00a0 An attacker could craft a malicious payload targeting\u00a0MOVEit Transfer users during the package composition procedure.\u00a0 If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T16:15:13.621Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-42656",
"datePublished": "2023-09-20T16:06:59.527Z",
"dateReserved": "2023-09-12T13:30:29.570Z",
"dateUpdated": "2024-09-24T18:44:28.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40043 (GCVE-0-2023-40043)
Vulnerability from nvd – Published: 2023-09-20 16:06 – Updated: 2025-02-27 20:49
VLAI?
Title
MOVEit Transfer System Administrator SQL Injection
Summary
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator
could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2023.0.0 (15.0.0) , < 2023.0.6 (15.0.6)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.9 (14.1.9) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.8 (14.0.8) (semver) Affected: 2021.1.0 (13.1.0) , < 2021.1.8 (13.1.8) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T21:50:59.729139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:49:18.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.0.6 (15.0.6)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.9 (14.1.9)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.8 (14.0.8)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2021.1.8 (13.1.8)",
"status": "affected",
"version": "2021.1.0 (13.1.0)",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-09-20T16:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u0026nbsp;that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u0026nbsp;MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\u003c/span\u003e\n\n"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u00a0that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u00a0MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T16:15:19.179Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer System Administrator SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-40043",
"datePublished": "2023-09-20T16:06:00.755Z",
"dateReserved": "2023-08-08T19:44:41.111Z",
"dateUpdated": "2025-02-27T20:49:18.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36934 (GCVE-0-2023-36934)
Vulnerability from nvd – Published: 2023-07-05 00:00 – Updated: 2024-11-21 14:36
VLAI?
Summary
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:34:21.808173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:36:15.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.progress.com/moveit"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36934",
"datePublished": "2023-07-05T00:00:00",
"dateReserved": "2023-06-28T00:00:00",
"dateUpdated": "2024-11-21T14:36:15.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36933 (GCVE-0-2023-36933)
Vulnerability from nvd – Published: 2023-07-05 00:00 – Updated: 2024-11-21 14:38
VLAI?
Summary
In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:38:19.418464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:38:28.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.progress.com/moveit"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36933",
"datePublished": "2023-07-05T00:00:00",
"dateReserved": "2023-06-28T00:00:00",
"dateUpdated": "2024-11-21T14:38:28.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36932 (GCVE-0-2023-36932)
Vulnerability from nvd – Published: 2023-07-05 00:00 – Updated: 2024-11-21 14:39
VLAI?
Summary
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:10.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:39:45.764392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:39:55.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.progress.com/moveit"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36932",
"datePublished": "2023-07-05T00:00:00",
"dateReserved": "2023-06-28T00:00:00",
"dateUpdated": "2024-11-21T14:39:55.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35708 (GCVE-0-2023-35708)
Vulnerability from nvd – Published: 2023-06-16 00:00 – Updated: 2025-02-13 16:55
VLAI?
Summary
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:44.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35708",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T17:08:25.902267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T17:08:40.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer\u0027s database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T13:50:32.680Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023"
},
{
"url": "https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35708",
"datePublished": "2023-06-16T00:00:00.000Z",
"dateReserved": "2023-06-15T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:55:54.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13147 (GCVE-0-2025-13147)
Vulnerability from cvelistv5 – Published: 2025-11-19 20:45 – Updated: 2025-11-19 20:50
VLAI?
Title
External Service Interaction (DNS)
Summary
Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
Severity ?
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
0 , < 2024.1.8
(semver)
Affected: 2025.0.0 , < 2025.0.4 (semver) |
Credits
Early Warning Services
Michael McCambridge
Brian Tigges
Jason Scribner
Alex Achs
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:49:54.892323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:50:10.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2024.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "2025.0.4",
"status": "affected",
"version": "2025.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Early Warning Services"
},
{
"lang": "en",
"type": "finder",
"value": "Michael McCambridge"
},
{
"lang": "en",
"type": "finder",
"value": "Brian Tigges"
},
{
"lang": "en",
"type": "finder",
"value": "Jason Scribner"
},
{
"lang": "en",
"type": "finder",
"value": "Alex Achs"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.\u003cp\u003eThis issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:45:48.418Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html"
},
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html"
},
{
"url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "External Service Interaction (DNS)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-13147",
"datePublished": "2025-11-19T20:45:48.418Z",
"dateReserved": "2025-11-13T20:06:29.891Z",
"dateUpdated": "2025-11-19T20:50:10.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2324 (GCVE-0-2025-2324)
Vulnerability from cvelistv5 – Published: 2025-03-19 15:23 – Updated: 2025-03-19 20:17
VLAI?
Title
A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder
Summary
Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.
Severity ?
5.9 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2023.1.0 , < 2023.1.12
(custom)
Affected: 2024.0.0 , < 2024.0.8 (custom) Affected: 2024.1.0 , < 2024.1.2 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T20:16:53.538862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T20:17:04.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"SFTP"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2023.1.12",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
},
{
"lessThan": "2024.0.8",
"status": "affected",
"version": "2024.0.0",
"versionType": "custom"
},
{
"lessThan": "2024.1.2",
"status": "affected",
"version": "2024.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:23:03.486Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-2324-March-18-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-2324",
"datePublished": "2025-03-19T15:23:03.486Z",
"dateReserved": "2025-03-14T17:30:06.106Z",
"dateUpdated": "2025-03-19T20:17:04.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6576 (GCVE-0-2024-6576)
Vulnerability from cvelistv5 – Published: 2024-07-29 13:46 – Updated: 2024-08-01 21:41
VLAI?
Title
MOVEit Transfer Privilege Escalation Vulnerability
Summary
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.
Severity ?
7.3 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2023.0.0 , < 2023.0.12
(semver)
Affected: 2023.1.0 , < 2023.1.7 (semver) Affected: 2024.0.0 , < 2024.0.3 (semver) |
Credits
Discovered Internally
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.0.12",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
},
{
"lessThan": "2023.1.7",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.3",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6576",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:51:24.094046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:07:10.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:41:03.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"SFTP"
],
"platforms": [
"Windows"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2023.0.12",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
},
{
"lessThan": "2023.1.7",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.3",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Discovered Internally"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T13:46:32.409Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Privilege Escalation Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-6576",
"datePublished": "2024-07-29T13:46:32.409Z",
"dateReserved": "2024-07-08T17:38:23.180Z",
"dateUpdated": "2024-08-01T21:41:03.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5806 (GCVE-0-2024-5806)
Vulnerability from cvelistv5 – Published: 2024-06-25 15:04 – Updated: 2024-08-01 21:25
VLAI?
Title
MOVEit Transfer Authentication Bypass Vulnerability
Summary
Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
Severity ?
9.1 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress | MOVEit Transfer |
Affected:
2023.0.0 , < 2023.0.11
(semver)
Affected: 2023.1.0 , < 2023.1.6 (semver) Affected: 2024.0.0 , < 2024.0.2 (semver) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:2023.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.0.11",
"status": "affected",
"version": "2023.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:2023.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:moveit_transfer:2024.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moveit_transfer",
"vendor": "progress",
"versions": [
{
"lessThan": "2024.0.2",
"status": "affected",
"version": "2024.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5806",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T03:55:23.614488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T13:22:54.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:02.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"SFTP"
],
"product": "MOVEit Transfer",
"vendor": "Progress",
"versions": [
{
"lessThan": "2023.0.11",
"status": "affected",
"version": "2023.0.0",
"versionType": "semver"
},
{
"lessThan": "2023.1.6",
"status": "affected",
"version": "2023.1.0",
"versionType": "semver"
},
{
"lessThan": "2024.0.2",
"status": "affected",
"version": "2024.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-25T23:23:46.318Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Authentication Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-5806",
"datePublished": "2024-06-25T15:04:37.342Z",
"dateReserved": "2024-06-10T16:42:56.944Z",
"dateUpdated": "2024-08-01T21:25:02.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2291 (GCVE-0-2024-2291)
Vulnerability from cvelistv5 – Published: 2024-03-20 14:46 – Updated: 2024-08-01 19:11
VLAI?
Title
MOVEit Transfer Logging Bypass Vulnerability
Summary
In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered. An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.
Severity ?
4.3 (Medium)
CWE
- CWE-778 - Insufficient Logging
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | MOVEit Transfer |
Affected:
2022.0.0 (14.0.0) , < 2022.0.11 (14.0.11)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.12 (14.1.12) (semver) Affected: 2023.0.0 (15.0.0) , < 2023.0.9 (15.0.9) (semver) Affected: 2023.1.0 (15.1.0) , < 2023.1.4 (15.1.4) (semver) |
Credits
HackerOne: interl0per
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T20:09:08.372929Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "MOVEit Transfer",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "2022.0.11 (14.0.11)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.12 (14.1.12)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.9 (15.0.9)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2023.1.4 (15.1.4)",
"status": "affected",
"version": "2023.1.0 (15.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "HackerOne: interl0per"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u0026nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."
}
],
"impacts": [
{
"capecId": "CAPEC-268",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-268 Audit Log Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-778",
"description": "CWE-778: Insufficient Logging",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-20T14:46:59.040Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Logging Bypass Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-2291",
"datePublished": "2024-03-20T14:46:59.040Z",
"dateReserved": "2024-03-07T17:27:18.819Z",
"dateUpdated": "2024-08-01T19:11:53.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0396 (GCVE-0-2024-0396)
Vulnerability from cvelistv5 – Published: 2024-01-17 15:56 – Updated: 2024-11-13 19:52
VLAI?
Title
Missing Server-Side Input Validation in HTTP Parameter
Summary
In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.
Severity ?
7.1 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2022.0.0 (14.0.0) , < 2022.0.10 (14.0.10)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.11 (14.1.11) (semver) Affected: 2023.0.0 (15.0.0) , < 2023.0.8 (15.0.8) (semver) Affected: 2023.1.0 (15.1.0) , < 2023.1.3 (15.1.3) (semver) |
Credits
HackerOne: p-v-p
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T20:58:50.772488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T19:52:11.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2022.0.10 (14.0.10)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.11 (14.1.11)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.8 (15.0.8)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2023.1.3 (15.1.3)",
"status": "affected",
"version": "2023.1.0 (15.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "HackerOne: p-v-p"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 API Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-17T15:58:24.651Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Server-Side Input Validation in HTTP Parameter",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-0396",
"datePublished": "2024-01-17T15:56:41.390Z",
"dateReserved": "2024-01-10T13:12:29.565Z",
"dateUpdated": "2024-11-13T19:52:11.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6218 (GCVE-0-2023-6218)
Vulnerability from cvelistv5 – Published: 2023-11-29 16:14 – Updated: 2024-08-02 08:21
VLAI?
Title
MOVEit Transfer Group Admin Privilege Escalation
Summary
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified. It is possible for a group administrator to elevate a group members permissions to the role of an organization administrator.
Severity ?
7.2 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Unaffected:
2023.1.0(15.1.0) , < 2023.1.1(15.1.1)
(semver)
Affected: 2023.0.0 (15.0.0) , < 2023.0.7 (15.0.7) (semver) Affected: 2022.1.0 (14.1.0) , < 2022.1.10 (14.1.10) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.9 (14.0.9) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.1.1(15.1.1)",
"status": "unaffected",
"version": "2023.1.0(15.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.7 (15.0.7)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.10 (14.1.10)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.9 (14.0.9)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.\u0026nbsp; It is possible for a group administrator to elevate a group members permissions to the role of an organization\u0026nbsp;administrator.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a privilege escalation path associated with group administrators has been identified.\u00a0 It is possible for a group administrator to elevate a group members permissions to the role of an organization\u00a0administrator.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T16:14:17.324Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Group Admin Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-6218",
"datePublished": "2023-11-29T16:14:17.324Z",
"dateReserved": "2023-11-20T17:22:11.765Z",
"dateUpdated": "2024-08-02T08:21:17.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6217 (GCVE-0-2023-6217)
Vulnerability from cvelistv5 – Published: 2023-11-29 16:14 – Updated: 2024-08-02 08:21
VLAI?
Title
MOVEit Transfer XSS via MOVEit Gateway
Summary
In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.
An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Unaffected:
2023.1.0(15.1.0) , < 2023.1.1(15.1.1)
(semver)
Affected: 2023.0.0 (15.0.0) , < 2023.0.7 (15.0.7) (semver) Affected: 2022.1.0 (14.1.0) , < 2022.1.10 (14.1.10) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.9 (14.0.9) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface",
"MOVEit Gateway"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.1.1(15.1.1)",
"status": "unaffected",
"version": "2023.1.0(15.1.0)",
"versionType": "semver"
},
{
"lessThan": "2023.0.7 (15.0.7)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.10 (14.1.10)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.9 (14.0.9)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7),\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.\u0026nbsp; \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim\u2019s browser.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7),\u00a0a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer.\u00a0 \n\nAn attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim\u2019s browser.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-29T16:14:02.264Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer XSS via MOVEit Gateway",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-6217",
"datePublished": "2023-11-29T16:14:02.264Z",
"dateReserved": "2023-11-20T17:22:06.919Z",
"dateUpdated": "2024-08-02T08:21:17.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42656 (GCVE-0-2023-42656)
Vulnerability from cvelistv5 – Published: 2023-09-20 16:06 – Updated: 2024-09-24 18:44
VLAI?
Title
MOVEit Transfer Reflected XSS
Summary
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting (XSS) vulnerability has been identified in MOVEit Transfer's web interface. An attacker could craft a malicious payload targeting MOVEit Transfer users during the package composition procedure. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2023.0.0 (15.0.0) , < 2023.0.6 (15.0.6)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.9 (14.1.9) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.8 (14.0.8) (semver) Affected: 2021.1.0 (13.1.0) , < 2021.1.8 (13.1.8) (semver) |
Credits
Bugcrowd - HusseiN98D
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:40.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T18:44:20.472054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T18:44:28.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.0.6 (15.0.6)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.9 (14.1.9)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.8 (14.0.8)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2021.1.8 (13.1.8)",
"status": "affected",
"version": "2021.1.0 (13.1.0)",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Bugcrowd - HusseiN98D"
}
],
"datePublic": "2023-09-20T16:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting\u0026nbsp;(XSS) vulnerability has been identified in MOVEit Transfer\u0027s web interface.\u0026nbsp; An attacker could craft a malicious payload targeting\u0026nbsp;MOVEit Transfer users during the package composition procedure.\u0026nbsp; If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser.\u003c/span\u003e"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a reflected cross-site scripting\u00a0(XSS) vulnerability has been identified in MOVEit Transfer\u0027s web interface.\u00a0 An attacker could craft a malicious payload targeting\u00a0MOVEit Transfer users during the package composition procedure.\u00a0 If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T16:15:13.621Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-42656",
"datePublished": "2023-09-20T16:06:59.527Z",
"dateReserved": "2023-09-12T13:30:29.570Z",
"dateUpdated": "2024-09-24T18:44:28.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40043 (GCVE-0-2023-40043)
Vulnerability from cvelistv5 – Published: 2023-09-20 16:06 – Updated: 2025-02-27 20:49
VLAI?
Title
MOVEit Transfer System Administrator SQL Injection
Summary
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A MOVEit system administrator
could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2023.0.0 (15.0.0) , < 2023.0.6 (15.0.6)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.9 (14.1.9) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.8 (14.0.8) (semver) Affected: 2021.1.0 (13.1.0) , < 2021.1.8 (13.1.8) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T21:50:59.729139Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:49:18.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Web Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.0.6 (15.0.6)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.9 (14.1.9)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.8 (14.0.8)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2021.1.8 (13.1.8)",
"status": "affected",
"version": "2021.1.0 (13.1.0)",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-09-20T16:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u0026nbsp;that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u0026nbsp;MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\u003c/span\u003e\n\n"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer web interface\u00a0that could allow a MOVEit system administrator account to gain unauthorized access to the MOVEit Transfer database. A\u00a0MOVEit system administrator\n\n could submit a crafted payload to the MOVEit Transfer web interface which could result in modification and disclosure of MOVEit database content.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T16:15:19.179Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer System Administrator SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-40043",
"datePublished": "2023-09-20T16:06:00.755Z",
"dateReserved": "2023-08-08T19:44:41.111Z",
"dateUpdated": "2025-02-27T20:49:18.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42660 (GCVE-0-2023-42660)
Vulnerability from cvelistv5 – Published: 2023-09-20 16:04 – Updated: 2025-02-27 20:49
VLAI?
Title
MOVEit Transfer Machine Interface SQL Injection
Summary
In Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software Corporation | MOVEit Transfer |
Affected:
2023.0.0 (15.0.0) , < 2023.0.6 (15.0.6)
(semver)
Affected: 2022.1.0 (14.1.0) , < 2022.1.9 (14.1.9) (semver) Affected: 2022.0.0 (14.0.0) , < 2022.0.8 (14.0.8) (semver) Affected: 2021.1.0 (13.1.0) , < 2021.1.8 (13.1.8) (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:40.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T21:51:01.378999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T20:49:24.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"MOVEit Transfer Machine Interface"
],
"product": "MOVEit Transfer",
"vendor": "Progress Software Corporation",
"versions": [
{
"lessThan": "2023.0.6 (15.0.6)",
"status": "affected",
"version": "2023.0.0 (15.0.0)",
"versionType": "semver"
},
{
"lessThan": "2022.1.9 (14.1.9)",
"status": "affected",
"version": "2022.1.0 (14.1.0)",
"versionType": "semver"
},
{
"lessThan": "2022.0.8 (14.0.8)",
"status": "affected",
"version": "2022.0.0 (14.0.0)",
"versionType": "semver"
},
{
"lessThan": "2021.1.8 (13.1.8)",
"status": "affected",
"version": "2021.1.0 (13.1.0)",
"versionType": "semver"
}
]
}
],
"datePublic": "2023-09-20T16:03:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u0026nbsp;that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\u003c/span\u003e\n\n"
}
],
"value": "\nIn Progress MOVEit Transfer versions released before 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6), a SQL injection vulnerability has been identified in the MOVEit Transfer machine interface\u00a0that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to the MOVEit Transfer machine interface which could result in modification and disclosure of MOVEit database content.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-20T16:15:03.255Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MOVEit Transfer Machine Interface SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2023-42660",
"datePublished": "2023-09-20T16:04:54.432Z",
"dateReserved": "2023-09-12T13:30:29.571Z",
"dateUpdated": "2025-02-27T20:49:24.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36932 (GCVE-0-2023-36932)
Vulnerability from cvelistv5 – Published: 2023-07-05 00:00 – Updated: 2024-11-21 14:39
VLAI?
Summary
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:10.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:39:45.764392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:39:55.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.progress.com/moveit"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36932",
"datePublished": "2023-07-05T00:00:00",
"dateReserved": "2023-06-28T00:00:00",
"dateUpdated": "2024-11-21T14:39:55.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36933 (GCVE-0-2023-36933)
Vulnerability from cvelistv5 – Published: 2023-07-05 00:00 – Updated: 2024-11-21 14:38
VLAI?
Summary
In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36933",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:38:19.418464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:38:28.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), it is possible for an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.progress.com/moveit"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36933",
"datePublished": "2023-07-05T00:00:00",
"dateReserved": "2023-06-28T00:00:00",
"dateUpdated": "2024-11-21T14:38:28.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36934 (GCVE-0-2023-36934)
Vulnerability from cvelistv5 – Published: 2023-07-05 00:00 – Updated: 2024-11-21 14:36
VLAI?
Summary
In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:01:09.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/moveit"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T14:34:21.808173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:36:15.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-05T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.progress.com/moveit"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-36934",
"datePublished": "2023-07-05T00:00:00",
"dateReserved": "2023-06-28T00:00:00",
"dateUpdated": "2024-11-21T14:36:15.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35708 (GCVE-0-2023-35708)
Vulnerability from cvelistv5 – Published: 2023-06-16 00:00 – Updated: 2025-02-13 16:55
VLAI?
Summary
In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:30:44.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability"
},
{
"tags": [
"x_transferred"
],
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-35708",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T17:08:25.902267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T17:08:40.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer\u0027s database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-16T13:50:32.680Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/alerts/2023/06/15/progress-software-releases-security-advisory-moveit-transfer-vulnerability"
},
{
"url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023"
},
{
"url": "https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-35708",
"datePublished": "2023-06-16T00:00:00.000Z",
"dateReserved": "2023-06-15T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:55:54.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}