CVE-2020-8612

CRITICAL

MOVEit Transfer <2019.1.4-2019.2.1 - Authenticated XSS

Title source: llm

Description

In Progress MOVEit Transfer 2019.1 before 2019.1.4 and 2019.2 before 2019.2.1, a REST API endpoint failed to adequately sanitize malicious input, which could allow an authenticated attacker to execute arbitrary code in a victim's browser, aka XSS.

References (4)

Core 4

Core References

Release Notes, Vendor Advisory x_refsource_confirm

https://docs.ipswitch.com/MOVEit/Transfer2019_1/ReleaseNotes/en/index.htm#49443.htm

Patch, Vendor Advisory x_refsource_misc

https://community.ipswitch.com/s/article/MOVEit-Transfer-Security-Vulnerabilities-Feb-2020

Release Notes, Vendor Advisory x_refsource_confirm

https://docs.ipswitch.com/MOVEit/Transfer2019_2/ReleaseNotes/en/index.htm#49677.htm

Product x_refsource_confirm

https://status.moveitcloud.com/

Scores

CVSS v3 9.0

EPSS 0.0003

EPSS Percentile 7.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (2)

progess/moveit_transfer 2019.1 - 2019.1.4

progress/moveit_transfer 2019.2 - 2019.2.1

Published Feb 14, 2020

Tracked Since Feb 18, 2026