- 237/2023
- High
MOVEit Transfer has released security updates to address multiple vulnerabilities in multiple versions of Progress MOVEit Transfer.
The addressed vulnerabilities could allow the remote attacker to perform either cross-site scripting attack by sending specially crafted URLs, or SQL injection attack to view, add, modify, or delete information in the back-end database on the affected system.
Sample of the addressed vulnerabilities:
1. Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-42660):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Data Manipulation
2. Progress MOVEit Transfer Cross-Site Scripting Vulnerability (CVE-2023-42656):
- CVSS: 6.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
Affected versions:
- MOVEit Transfer 2023.0.x (15.0.x).
- MOVEit Transfer 2022.1.x (14.1.x).
- MOVEit Transfer 2022.0.x (14.0.x).
- MOVEit Transfer 2021.1.x (13.1.x).
- MOVEit Transfer 2021.0.x (13.0.x) or older.
Vulnerabilities
- CVE-2023-40043
- CVE-2023-42656
- CVE-2023-42660
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.