- 141/2023
- Critical
MOVEit Transfer has released a security update to address a critical vulnerability.
The addressed vulnerability could allow the remote attacker to submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.
The addressed vulnerability:
Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-35708):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privileges
Affected versions:
- MOVEit Transfer 2023.0.x (15.0.x).
- MOVEit Transfer 2022.1.x (14.1.x).
- MOVEit Transfer 2022.0.x (14.0.x).
- MOVEit Transfer 2021.1.x (13.1.x).
- MOVEit Transfer 2021.0.x (13.0.x).
- MOVEit Transfer 2020.1.x (12.1).
- MOVEit Transfer 2020.0.x (12.0) or older.
- MOVEit Cloud.
Vulnerabilities
CVE-2023-35708
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.