MOVEit Transfer System Administrator SQL Injection
CVE-2023-40043

7.2HIGH

Key Information:

Vendor: Progress Software
Status: MOVEit Transfer
Vendor: CVE Published:; 20 September 2023

Summary

A SQL injection vulnerability exists in the MOVEit Transfer web interface, allowing a system administrator account to send a specially crafted payload. This could lead to unauthorized access to the MOVEit Transfer database, enabling potential modification and disclosure of sensitive database content. Users of impacted versions are encouraged to assess their environments and apply necessary security measures.

Affected Version(s)

MOVEit Transfer 2023.0.0 (15.0.0)

MOVEit Transfer 2023.0.0 (15.0.0) < 2023.0.6 (15.0.6)

MOVEit Transfer 2022.1.0 (14.1.0) < 2022.1.9 (14.1.9)

References

https://www.progress.com/moveit

product

https://community.progress.com/s/article/MOVEit-Transfer-...

vendor-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Aug 8, 2023