SQL Injection Vulnerability in MOVEit Transfer by Progress
CVE-2021-37614

8.8HIGH

Key Information:

Vendor
Progress
Status
Moveit Transfer
Vendor
CVE Published:
5 August 2021

Summary

An SQL injection vulnerability exists in earlier versions of the MOVEit Transfer web application, allowing authenticated remote attackers to access the underlying database. Exploitation of this vulnerability could enable attackers to extract sensitive information about the database structure and contents, or even manipulate or delete database records. This risk is contingent on the database engine in use, such as MySQL, Microsoft SQL Server, or Azure SQL. Users are urged to update to the latest secure versions to mitigate potential risks.

References

https://community.progress.com/s/article/MOVEit-Transfer-...
x_refsource_CONFIRM
https://docs.ipswitch.com/MOVEit/Transfer2019/ReleaseNote...
x_refsource_MISC
https://docs.ipswitch.com/MOVEit/Transfer2021/ReleaseNote...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.