Description
In Progress MOVEit Transfer before 2020.1, a malicious user could craft and store a payload within the application. If a victim within the MOVEit Transfer instance interacts with the stored payload, it could invoke and execute arbitrary code within the context of the victim's browser (XSS).
Exploits (1)
nomisec
WRITEUP
by SECFORCE · poc
https://github.com/SECFORCE/Progress-MOVEit-Transfer-2020.1-Stored-XSS-CVE-2020-28647
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.progress.com/
Vendor Advisory x_refsource_confirm
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-Nov-2020
Exploit, Third Party Advisory x_refsource_misc
https://labs.secforce.com/posts/progress-moveit-transfer-2020.1-stored-xss-cve-2020-28647/
Scores
CVSS v3
5.4
EPSS
0.0009
EPSS Percentile
25.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
progress/moveit_transfer
< 2020.1
Published
Nov 17, 2020
Tracked Since
Feb 18, 2026