- 154/2023
- Critical
MOVEit Transfer has released a security update to address multiple vulnerabilities in multiple versions of Progress MOVEit Transfer.
The addressed vulnerabilities could allow the remote attacker to cause a denial of service, or SQL injection attacks to view, add, modify, or delete information in the back-end database on the affected system.
Sample of the addressed vulnerabilities:
Progress Software MOVEit Transfer SQL Injection (CVE-2023-36934):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
Affected versions:
- MOVEit Transfer 2023.0.x (15.0.x).
- MOVEit Transfer 2022.1.x (14.1.x).
- MOVEit Transfer 2022.0.x (14.0.x).
- MOVEit Transfer 2021.1.x (13.1.x).
- MOVEit Transfer 2021.0.x (13.0.x).
- MOVEit Transfer 2020.1.6 (12.1.6).
- MOVEit Transfer 2020.0.x (12.0.x).
Vulnerabilities
- CVE-2023-36932
- CVE-2023-36933
- CVE-2023-36934
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.