CVE-2023-36932

In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023	Release Notes Vendor Advisory
https://www.progress.com/moveit	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::
	cpe:2.3:a:progress:moveit_transfer::::::::

History

12 Jul 2023, 15:52

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
CWE		CWE-89
First Time		Progress moveit Transfer Progress
References	~~(MISC) https://www.progress.com/moveit -~~	(MISC) https://www.progress.com/moveit - Product
References	~~(CONFIRM) https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023 -~~	(CONFIRM) https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023 - Release Notes, Vendor Advisory
CPE		cpe:2.3:a:progress:moveit_transfer::::::::

05 Jul 2023, 16:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-05 16:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-36932

Mitre link : CVE-2023-36932

CVE.ORG link : CVE-2023-36932

JSON object : View

Products Affected

progress

moveit_transfer

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-36932", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2023-07-05T16:15:09.687", "references": [{"url": "https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.progress.com/moveit", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content."}], "lastModified": "2023-07-12T15:52:56.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20EBACE7-9CEE-460F-9762-6B390E992E9E", "versionEndExcluding": "2020.1.11"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4FAFFDF-9990-405B-9FC6-77FAB1D580DD", "versionEndExcluding": "2021.0.9", "versionStartIncluding": "2021.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D6B93D5-C069-45A3-ABC5-26B2EBBAE204", "versionEndExcluding": "2021.1.7", "versionStartIncluding": "2021.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D02CADA-98EC-4CBA-95A0-7D4064BD5445", "versionEndExcluding": "2022.0.7", "versionStartIncluding": "2022.0.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9463F53E-4941-4658-AB1D-0056B4E076F5", "versionEndExcluding": "2022.1.8", "versionStartIncluding": "2022.1.0"}, {"criteria": "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E19DF4E3-FAF8-4A4B-B2C5-7013BABBDBB5", "versionEndExcluding": "2023.0.4", "versionStartIncluding": "2023.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}