CVE-2020-28647

MEDIUM

Progress MOVEit Transfer < 2020.1 - Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28647. PoCs published by SECFORCE.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2020-28647, a stored XSS vulnerability in Progress MOVEit Transfer < 2020.1. It includes a step-by-step breakdown of the vulnerability discovery, exploitation process, and payload crafting to achieve administrative access.

Description

In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).

Exploits (1)

nomisec WRITEUP
by SECFORCE · poc
https://github.com/SECFORCE/Progress-MOVEit-Transfer-2020.1-Stored-XSS-CVE-2020-28647

This repository provides a detailed technical analysis of CVE-2020-28647, a stored XSS vulnerability in Progress MOVEit Transfer < 2020.1. It includes a step-by-step breakdown of the vulnerability discovery, exploitation process, and payload crafting to achieve administrative access.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Progress MOVEit Transfer < 2020.1
Auth required
Prerequisites: Access to upload files in MOVEit Transfer · Victim interaction to trigger the XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.progress.com/

Scores

CVSS v3 5.4
EPSS 0.0141
EPSS Percentile 69.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
progress/moveit_transfer < 2020.1
Published Nov 17, 2020
Tracked Since Feb 18, 2026